Header Only - DO NOT REMOVE - Extreme Networks
Question

Block admin Access to AP7532 from VLAN 2

  • 10 June 2020
  • 2 replies
  • 66 views

Userlevel 2

I have set an AP up   that has direct WAN connection  and uses NAT for the MU’s inside to get to the WAN outside with help from Tomasz ( thankyou :thumbsup: ) , However as soon as it connects the attempted access starts and port scans from all different IP’s and trying all sorts of usernames and passwords, So is it possible to remove access to SSH /HTTPS etc on VLAN 2 only and set it so the AP does not respond to ICMP on that VLAN to ?

I have seen this as an example which will block everything else than IP protocol packet for destination IP address 10.0.0.2, But not sure this is what I need? 

VX>
VX> enable
VX# configure
Enter configuration commands, one per line.  End with CNTL/Z.
VX(config)# ip access-list LIMIT-ALL
VX(config-ip-acl-LIMIT-ALL)# permit ip any host 10.0.0.2 rule-precedence 10
VX(config-ip-acl-LIMIT-ALL)# deny ip any any rule-precedence 15
VX(config-ip-acl-LIMIT-ALL)# show context
ip access-list LIMIT-ALL permit ip any host 10.0.0.2 rule-precedence 10 deny ip any any rule-precedence 15
VX(config-ip-acl-LIMIT-ALL)# exit
VX(config)#wlan LIMIT-ALL
VX(config-wlan-LIMIT-ALL)# use ip-access-list in LIMIT-ALL VX(config-wlan-LIMIT-ALL)# commit write

access to  the AP via CLI port on the AP can be done is local but would still like to access via HTTPS from Vlan 100 which is inside ( NAT)

Phil


2 replies

Userlevel 6
Badge

Hi Phil,

 

ICMP I’d block with ACL as well.

Regarding SSH, please see Management Policy in the GUI. You can enable/disable mgmt protocols and also add allowed IP subnets/hosts.

 

Hope that helps,

Tomasz

Userlevel 2

Phil,

You need to attach the acl in MNG policy .

Aviv 

Reply