AOS-CX Switch Simulator

Dear All,

On cisco there is a command to restrict access to telnet / ssh. created from ACL then applied in line vty.

like the following command:

ip access-list standard TELNET
permit 10.10.26.0 0.0.0.255
permit 10.11.4.0 0.0.0.255
permit 10.12.9.0 0.0.0.255
permit 10.13.87.0 0.0.0.63
permit 10.14.18.64 0.0.0.31

line vty 0 4
access-class TELNET in
authorization commands 15 telnet
authorization exec telnet
logging synchronous
login authentication telnet

For Aruba CX, I want to apply access management in the default vrf so that it can be reached from the network link (don't use Management)

How to apply access restriction for ssh in Aruba CX as per above scenario?

Big Thanks,
GIBS

------------------------------
Luthfi Naufal Gibrani
------------------------------

Hello Luthfi!

In ArubaCX you need to perform following steps:

1. Enable SSH for VRF default (since you don't want to use VRF mgmt)

switch(config)# ssh server vrf default​

2. Create an ACL that will protect the Control-plane of the switch:

switch(config)# access-list ip CONTROLPLANE
switch(config-acl-ip)# 05 comment ALLOW SSH AND SNMP ON ADMIN SUBNET, BLOCK ALL OTHERS
switch(config-acl-ip)# 10 permit tcp 10.10.0.0/24 any eq 22
switch(config-acl-ip)# 20 permit udp 10.10.0.0/24 any eq 161
switch(config-acl-ip)# 30 permit udp 10.10.0.0/24 any eq 162
switch(config-acl-ip)# 40 deny tcp any any eq 22 count
switch(config-acl-ip)# 50 deny udp any any eq 161 count
switch(config-acl-ip)# 60 deny udp any any eq 162 count
switch(config-acl-ip)# 990 comment ALLOW ANYTHING ELSE
switch(config-acl-ip)# 1000 permit any any any​

3. Apply the ACL to the default VRF:

switch(config)# apply access-list ip CONTROLPLANE control-plane vrf default

I recommend you to check Aruba CX Hardening Guide - https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/AOS-CX_10-07_hardening.pdf , it's got a lot of useful configuration details how to secure your switches.

Hope this helps!

------------------------------
Ivan Bondar
------------------------------

Original Message:
Sent: Oct 22, 2021 02:29 AM
From: Luthfi Naufal Gibrani
Subject: How to apply access restriction for ssh in Aruba CX

Dear All,

On cisco there is a command to restrict access to telnet / ssh. created from ACL then applied in line vty.

like the following command:

ip access-list standard TELNET
permit 10.10.26.0 0.0.0.255
permit 10.11.4.0 0.0.0.255
permit 10.12.9.0 0.0.0.255
permit 10.13.87.0 0.0.0.63
permit 10.14.18.64 0.0.0.31

line vty 0 4
access-class TELNET in
authorization commands 15 telnet
authorization exec telnet
logging synchronous
login authentication telnet

For Aruba CX, I want to apply access management in the default vrf so that it can be reached from the network link (don't use Management)

How to apply access restriction for ssh in Aruba CX as per above scenario?

Big Thanks,
GIBS

------------------------------
Luthfi Naufal Gibrani
------------------------------

Dear Ivan,

Thank you very much for your advice.. i will try it.

Regards,
Luthfi

------------------------------
Luthfi Naufal Gibrani
------------------------------

Original Message:
Sent: Oct 22, 2021 02:46 AM
From: Ivan Bondar
Subject: How to apply access restriction for ssh in Aruba CX

Hello Luthfi!

In ArubaCX you need to perform following steps:

1. Enable SSH for VRF default (since you don't want to use VRF mgmt)

switch(config)# ssh server vrf default​

2. Create an ACL that will protect the Control-plane of the switch:

switch(config)# access-list ip CONTROLPLANEswitch(config-acl-ip)# 05 comment ALLOW SSH AND SNMP ON ADMIN SUBNET, BLOCK ALL OTHERSswitch(config-acl-ip)# 10 permit tcp 10.10.0.0/24 any eq 22switch(config-acl-ip)# 20 permit udp 10.10.0.0/24 any eq 161switch(config-acl-ip)# 30 permit udp 10.10.0.0/24 any eq 162switch(config-acl-ip)# 40 deny tcp any any eq 22 countswitch(config-acl-ip)# 50 deny udp any any eq 161 countswitch(config-acl-ip)# 60 deny udp any any eq 162 countswitch(config-acl-ip)# 990 comment ALLOW ANYTHING ELSEswitch(config-acl-ip)# 1000 permit any any any​

3. Apply the ACL to the default VRF:

switch(config)# apply access-list ip CONTROLPLANE control-plane vrf default

I recommend you to check Aruba CX Hardening Guide - https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/AOS-CX_10-07_hardening.pdf , it's got a lot of useful configuration details how to secure your switches.

Hope this helps!

------------------------------
Ivan Bondar

Original Message:
Sent: Oct 22, 2021 02:29 AM
From: Luthfi Naufal Gibrani
Subject: How to apply access restriction for ssh in Aruba CX

Dear All,

On cisco there is a command to restrict access to telnet / ssh. created from ACL then applied in line vty.

like the following command:

ip access-list standard TELNET
permit 10.10.26.0 0.0.0.255
permit 10.11.4.0 0.0.0.255
permit 10.12.9.0 0.0.0.255
permit 10.13.87.0 0.0.0.63
permit 10.14.18.64 0.0.0.31

line vty 0 4
access-class TELNET in
authorization commands 15 telnet
authorization exec telnet
logging synchronous
login authentication telnet

For Aruba CX, I want to apply access management in the default vrf so that it can be reached from the network link (don't use Management)

How to apply access restriction for ssh in Aruba CX as per above scenario?

Big Thanks,
GIBS

------------------------------
Luthfi Naufal Gibrani
------------------------------