Hi! it looks like the OP is asking for limiting/controlling Web Access to the dashboard of an edge device...not about the Switch Management GUI.
If so, if I've not misunderstood the OP request...it should be possible to fulfill his requests by activating an ACL on incoming VLAN 30 (say it is bound to a Net "A" /24), where the incoming direction should be seen "from the Switch standpoint" going to all other possible directions internally to other routed VLANs and externally to a Gateway to reach any non-internal possible network (Here the Firewall must jumps in with its policies otherwise you need to take care about this traffic too), and defining its ACEs in a way they first permit - using permit IP - the protected device's IP address to reach desired managers IP addresses and, finally, denying - using deny IP - communication to all other directly connected Network(s) [this ACL rules the "device -> to all others" direction]...AND Concurrently...create various other ACLs to deny each other Network to communicate with that device [these ACL rule the "each other Net/Host -> device" directions] but allowing only permitted managers from a particular Net.
Conceptually something like:
ACL protecting the VLAN 30:
IP of device on VLAN 30 (Net "A") -> permit IP protocol (to reach/to answers requests coming from) to -> IP address of managers on other VLANs (say only on VLAN 10, as example)
Net "A" -> deny IP protocol (to reach/to answers requests coming from) to -> VLAN 10
Net "A" -> deny IP protocol (to reach/to answers requests coming from) to -> VLAN 20
Net "A" -> deny IP protocol (to reach/to answers requests coming from) to -> VLAN 40
Permit all other
Final implicit Deny (hidden)
ACL protecting the VLAN 10:
IP of Managers -> permit TCP 80 (to reach) -> IP address of device on VLAN 30 (only request of TCP Port 80 will pass to device from Managers)
Net of VLAN 10 (Net "B") -> deny IP protocol (to reach) to -> IP address of device on VLAN 30 or the whole Net "A" (if possible/advisable)
Permit all other
Final implicit Deny (hidden)
ACL protecting the VLAN 20:
Net of VLAN 20 (Net "C") -> deny IP protocol (to reach) to -> IP address of device on VLAN 30 or the whole Net "A" (if possible/advisable)
Permit all other
Final implicit Deny (hidden)
ACL protecting the VLAN 40:
Net of VLAN 40 (Net "D") -> deny IP protocol (to reach) to -> IP address of device on VLAN 30 or the whole Net "A" (if possible/advisable)
Permit all other
Final implicit Deny (hidden)
This way you strictly permit direction from device to its managers (denying what you don't want) and, on all other involved VLANs, you strictly deny direction from non-managers to the device to be protected letting just managers to device.
Edit: forgot to specify that such ACLs should be applied in incoming direction respectively to each VLAN they are configured to protect (Say you named the ACL for protecting the VLAN Id 30 network exactly "VLAN-30-ACL", then you should apply the "VLAN-30-ACL" ACL to the VLAN 30 in incoming direction).
Original Message:
Sent: Feb 03, 2023 02:18 AM
From: Emil_G
Subject: ACL limiting TCP port 80
hello,
You have an option to determine which devices can have access to the management interfaces of the switch without ACL. This is the feauture called authorized ip manager
https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch15.html
https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/c_Using_Authorized_IP_Managers.html
By defining the IPs of the authorized managers the switch will block access to its management interfaces via the network from any other IP. This is a global command and applies to all switch interfaces.
Your acl looks fine to me but the drawback is that you are applying it only to a single interface. An intruder could gain access if connected via another interface.
Original Message:
Sent: Feb 02, 2023 01:57 PM
From: cschinmann
Subject: ACL limiting TCP port 80
Looking to the experts for advise. I have a networked device (backup/recovery appliance) that needs to have limited access implemented. We are looking to limit access to the management console via web browser from all but 2 IP addresses. All other data from all other addresses should still be allowed. The device itself does not have the option to limit connect addresses, so implementing an ACL on the switch is being considered.
Environment:
Aruba 5400r switch
backup device, 173.17.30.10, is on VLAN 30, port A1 on the switch
allowed workstations 173.17.10.101/102 are on VLAN 10 (along with other servers and workstations)
all other users workstation are are on VLAN 100, and VLAN123
this is version 1 of the proposed extended ACL
Switch (config)# ip access-list extended 101
Switch (config-ext-nacl)# 10 permit tcp 173.17.10.101 255.255.255.255 173.17.30.10 255.255.255.255 eq 80
Switch (config-ext-nacl)# 20 permit tcp173.17.10.102 255.255.255.255 173.17.0.10 255.255.255.255 eq80
Switch (config-ext-nacl)# 30 deny tcp 0.0.0.0 255.255.255.255 173.16.30.10 255.255.255.255 eq 80
Switch (config-ext-nacl)# 40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Switch (config-ext-nacl)# exit
Switch (config)#int A1 ip access-group 101 in
thoughts? Will this have the desired effect of restricting all web browser access to 172.17.30.10 except from 172.17.10.101/102 ?
pretty sure I have overlooked something, but I'm just not sure what it is.
thanks in advance for you insight
------------------------------
CSchinmann
------------------------------