Access Control Lists

IP Access Control Lists (ACLs) can also be used to limit management access, permitting more granular control over IP ranges or protocols permitted to access the switch.

Consider the following extended IPv4 ACL, applied to a VLAN (10) that hosts both management stations and other network devices:

switch(config)# ip access-list extended "mgmt-permit" 
switch(config-std-nacl)# 10 permit tcp 10.1.1.0/24 eq 22 10.1.0.5/32
switch(config-std-nacl)# 20 permit tcp 10.1.1.0/24 eq 443 10.1.0.5/32
switch(config-std-nacl)# 30 permit tcp 10.1.0.50/32 eq 22 10.1.0.5/32
switch(config-std-nacl)# 40 permit tcp 10.1.0.50/32 eq 443 10.1.0.5/32
switch(config-std-nacl)# exit 
switch(config)# vlan 10
switch(vlan-10)# ip access-group “mgmt-permit” in

This ACL, when applied to inbound traffic on the VLAN or port, will allow only hosts from 10.1.1.0/24 or 10.1.0.50 to access the switch through port 22 (SSH or SFTP) or 443 (for the secure web interface and REST API). All other traffic from any other source IP address or to any other TCP or UDP port is dropped.

In conjunction with this ACL, a second ACL - applied to inbound traffic on all enabled non-management VLANs and/or interfaces - prevents all connections to the switch management address, while allowing all other traffic to pass.

switch(config)# ip access-list extended "mgmt-block" 
switch(config-std-nacl)# 10 deny ip any 10.1.0.5/32
switch(config-std-nacl)# 20 permit ip any any
switch(config-std-nacl)# exit 
switch(config)# vlan 20
switch(vlan-20)# ip access-group "mgmt-block" in

Note that all ACLs in ArubaOS-Switch have an implicit “deny any” rule at the end of the rules list; this requires that allowed traffic be explicitly permitted to pass through an applied ACL.

For more details, refer to:

  • The chapter titled “IPv4 Access Control Lists (ACLs)” in the ArubaOS-Switch Access Security Guide

  • The chapter titled “Access Control Lists” in the ArubaOS-Switch IPv6 Configuration Guide