Network Management

Hello,

Recently we've started to undergo a move from some 2920 ArubaOS Switches in our network to the newer CX 6200M line, currently on FW 10.13.0010, and re-learning the CLI has been somewhat of a challenge. This was made easier after I was able to find the "CLI Reference Guide for ArubaOS-CX, ArubaOS-Switch, and Cisco IOS" from 2019, though I wasn't able to find a guide newer than this or with more information. 

With that in mind, I wasn't able to find much information online about the 'management-vlan <VLAND ID>' command, which we've used extensively on our ArubaOS swicthes for locking down SSH access to a single VLAN's IP. Is there was an alternative command on the CX series that I may have missed? 

The Management interface can be configured by going into configuration mode  and entering "interface mgmt"

This will give you the ability to change the IP Settings. See: https://www.arubanetworks.com/techdocs/AOS-CX/10.09/HTML/fundamentals_6200/Content/Chp_IniCfg/cnf-man-int.htm

The switch can be locked down for access by specifying the vrf for the specific feature:

Example, if you want to lock down SSH to management port only:

ssh server vrf mgmt

no ssh server vrf default [or any other vrf you may have]

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7885/Content/Chp_SSH_serv/SSH_serv_cmds/ssh-ser-vrf65.htm

This principal would apply to https. Also keep in mind when doing some things like software updates from cli you may need to specify vrf mgmt in the command to get traffic to route correctly 

Hi sccmobjohnson,

Thank you for the guide, however this was not quite what I was looking for. Due to the routing scheme that we currently have, we are unable to segment the management VLAN/IP into a separate VRF without causing routing issues. And while I'm aware that both the 2920 and 6200 series switches have management interfaces, the option I was looking for was referring to the 'management-vlan <VLAN ID>' command that allows administrators to lock down SSH access when not using the mgmt port.

For example, we have several buildings where mutliple VLANs have addresses set: 10.11.x.x on VLAN 11, 10.12.x.x on VLAN 12, etc. By default on the 2920 series, any of these IP addresses can be used for SSH, however this can be restricted to a single VLAN/IP using the command: 'management-vlan 11'. 

For anyone that comes across this thread looking for an ArubaOS to CX OS solution, I wound up answering my own question after doing some research into classes and policies.

For example: I want to resitrict ssh traffic going to VLAN 10 (10.0.10.0/24) from VLAN 20 (10.0.20.0/24) but not from VLAN 30 (10.0.30.0/24).

I can do this by making a class and applying it through a policy on VLAN 20:

class ip restrict-ssh
    10 match tcp any 10.0.10.0/255.255.255.0 eq ssh
!
policy stop-ssh
    10 class ip restrict-ssh action drop
!
vlan 20
    apply policy restrict-ssh in

Doing this will allow regular traffic to still pass through the VLANs, including things like ICMP, but will specifically stop ssh traffic that tries to go from VLAN 20 to VLAN 10's subnet. The policy can be applied system-wide as well when adding 'vlan <vlan ID>' to the end of the class sequence: 10 match tcp any 10.0.10.0/24/255.255.255.0 eq ssh vlan 20.

This can then be applied in config mode instead of VLAN config mode, though it can only be applied to inbound traffic, not outbound.