Network Management

Dear friends, 

I normally can access switches by their IP in management VLAN, however I suddenly noticed that I can SSH in to any VLAN's active gateway for example, (VLAN 32) 192.168.32.1 and 192.168.32.2 or (VLAN 24) 192.168.24.1 or 192.168.24.2....Would there be any security risks if some students logged in to a PC that connect to the production network and use SSH to access these switches although we have clearpass & Tacacs Authentication?

Is it necessary to put an Access List to block SSH access from all VLANs except Server VLAN sth? Or it is ok to leave like this? 

Thanks
ML


------------------------------
Becoming a Networking Engineer
------------------------------

It all depends on your network policy and this extends even beyond your wireless.  Your network, if large enough should have a router separating users from the management network and should be able to block that traffic from the border.  If your network is a single flat network, this will be more challenging, of course.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 15, 2022 09:10 PM
From: Mang Lai
Subject: SSH to ALL VLANs

Dear friends, 

I normally can access switches by their IP in management VLAN, however I suddenly noticed that I can SSH in to any VLAN's active gateway for example, (VLAN 32) 192.168.32.1 and 192.168.32.2 or (VLAN 24) 192.168.24.1 or 192.168.24.2....Would there be any security risks if some students logged in to a PC that connect to the production network and use SSH to access these switches although we have clearpass & Tacacs Authentication?

Is it necessary to put an Access List to block SSH access from all VLANs except Server VLAN sth? Or it is ok to leave like this? 

Thanks
ML


------------------------------
Becoming a Networking Engineer
------------------------------

Actually I just remember now that I can use VTY ACL for allow only specified network scope. Does Aruba CX have the similar thing? 

Thanks
ML

------------------------------
Becoming a Networking Engineer
------------------------------

Original Message:
Sent: Jun 16, 2022 10:00 PM
From: Colin Joseph
Subject: SSH to ALL VLANs

It all depends on your network policy and this extends even beyond your wireless.  Your network, if large enough should have a router separating users from the management network and should be able to block that traffic from the border.  If your network is a single flat network, this will be more challenging, of course.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 15, 2022 09:10 PM
From: Mang Lai
Subject: SSH to ALL VLANs

Dear friends, 

I normally can access switches by their IP in management VLAN, however I suddenly noticed that I can SSH in to any VLAN's active gateway for example, (VLAN 32) 192.168.32.1 and 192.168.32.2 or (VLAN 24) 192.168.24.1 or 192.168.24.2....Would there be any security risks if some students logged in to a PC that connect to the production network and use SSH to access these switches although we have clearpass & Tacacs Authentication?

Is it necessary to put an Access List to block SSH access from all VLANs except Server VLAN sth? Or it is ok to leave like this? 

Thanks
ML


------------------------------
Becoming a Networking Engineer
------------------------------