https://community.extremenetworks.com/t5/extremewireless-wing/block-admin-access-to-ap7532-from-vlan-2/m-p/61419#M5462 <P>Hi Phil,</P> <P>&nbsp;</P> <P>ICMP I’d block with ACL as well.</P> <P>Regarding SSH, please see Management Policy in the GUI. You can enable/disable mgmt protocols and also add allowed IP subnets/hosts.</P> <P>&nbsp;</P> <P>Hope that helps,</P> <P>Tomasz</P> Tue, 23 Jun 2020 18:09:20 GMT Tomasz 2020-06-23T18:09:20Z https://community.extremenetworks.com/t5/extremewireless-wing/block-admin-access-to-ap7532-from-vlan-2/m-p/61418#M5461 <P>I have set an&nbsp;AP up &nbsp;&nbsp;that has direct WAN connection&nbsp; and uses NAT for the MU’s inside to get to the WAN outside with help from Tomasz ( thankyou <span class="lia-inline-image-display-wrapper" image-alt="9f02c4bd5f894d4f84ef8db7f5eb9b91_1f44d.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5935i2B395BAEA99A4961/image-size/large?v=v2&amp;px=999" role="button" title="9f02c4bd5f894d4f84ef8db7f5eb9b91_1f44d.png" alt="9f02c4bd5f894d4f84ef8db7f5eb9b91_1f44d.png" /></span> ) , However as soon as it connects the attempted access starts and port scans from all different IP’s and trying all sorts of usernames and passwords, So is it possible to remove access to SSH /HTTPS etc on VLAN 2 only and set it so the AP does not respond to ICMP on that VLAN to ?</P> <P>I have seen this as an example which will block everything else than IP protocol packet for destination IP address <STRONG>10.0.0.2, </STRONG>But not sure this is what I need?&nbsp;</P> <P>VX&gt;<BR /> VX&gt; <STRONG>enable</STRONG><BR /> VX# <STRONG>configure</STRONG><BR /> Enter configuration commands, one per line.&nbsp; End with CNTL/Z.<BR /> VX(config)# <STRONG>ip access-list LIMIT-ALL</STRONG><BR /> VX(config-ip-acl-LIMIT-ALL)# <STRONG>permit ip any host 10.0.0.2 rule-precedence 10</STRONG><BR /> VX(config-ip-acl-LIMIT-ALL)# <STRONG>deny ip any any rule-precedence 15</STRONG><BR /> VX(config-ip-acl-LIMIT-ALL)# <STRONG>show context</STRONG><BR /><STRONG>ip access-list LIMIT-ALL permit ip any host 10.0.0.2 rule-precedence 10 deny ip any any rule-precedence 15</STRONG><BR /> VX(config-ip-acl-LIMIT-ALL)# <STRONG>exit</STRONG><BR /> VX(config)#<STRONG>wlan LIMIT-ALL</STRONG><BR /> VX(config-wlan-LIMIT-ALL)# <STRONG>use ip-access-list in LIMIT-ALL </STRONG>VX(config-wlan-LIMIT-ALL)#&nbsp;<STRONG>commit write</STRONG></P> <P>access to &nbsp;the AP via CLI port on the AP can be done is local but would still like to access via HTTPS from Vlan 100 which is inside ( NAT)</P> <P>Phil</P> Wed, 10 Jun 2020 20:54:03 GMT https://community.extremenetworks.com/t5/extremewireless-wing/block-admin-access-to-ap7532-from-vlan-2/m-p/61418#M5461 Phil_storey 2020-06-10T20:54:03Z https://community.extremenetworks.com/t5/extremewireless-wing/block-admin-access-to-ap7532-from-vlan-2/m-p/61419#M5462 <P>Hi Phil,</P> <P>&nbsp;</P> <P>ICMP I’d block with ACL as well.</P> <P>Regarding SSH, please see Management Policy in the GUI. You can enable/disable mgmt protocols and also add allowed IP subnets/hosts.</P> <P>&nbsp;</P> <P>Hope that helps,</P> <P>Tomasz</P> Tue, 23 Jun 2020 18:09:20 GMT https://community.extremenetworks.com/t5/extremewireless-wing/block-admin-access-to-ap7532-from-vlan-2/m-p/61419#M5462 Tomasz 2020-06-23T18:09:20Z https://community.extremenetworks.com/t5/extremewireless-wing/block-admin-access-to-ap7532-from-vlan-2/m-p/61420#M5463 <P>Phil,</P> <P>You need to attach the acl in MNG policy .</P> <P>Aviv&nbsp;</P> Thu, 09 Jul 2020 20:57:46 GMT https://community.extremenetworks.com/t5/extremewireless-wing/block-admin-access-to-ap7532-from-vlan-2/m-p/61420#M5463 Aviv_Kedem 2020-07-09T20:57:46Z