This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrict management access to VOSS switches using a firewall

Restrict management access to VOSS switches using a firewall

XTRMUser
Contributor

Tuesday

I'd like to restrict access for management to VOSS switches using a firewall. The firewall rules will not be an issue. I'm running VOSS 8.10.x on all VOSS switches. So they have management CLIP addresses, which are separate from Source IP, and loopback addresses. I'm moving away from ACL's and access-lists, which are on the switches now.

The current code is:

mgmt clip vrf GlobalRouter
ip address 10.10.10.41/32
enable
exit

I noticed there is a reserved vlan (4090) with the management CLIP address on it. Can I use that as part of the solution?

I've tried to find some information on this, but I guess my Google-fu is lacking.

0 Kudos
3 REPLIES 3

EF
Contributor III

yesterday

Try access policy, example:

access-policy 2
access-policy 2 network 10.100.51.0 24
access-policy 2 access-strict
access-policy 2 accesslevel rwa
access-policy 2 ssh
access-policy 2 telnet
access-policy 2 snmpv3
access-policy 2 ftp
access-policy 2 http
access-policy 2 snmp-group readgrp snmpv2c
access-policy 2 snmp-group v1v2grp snmpv2c
access-policy 2 enable

0 Kudos

XTRMUser
Contributor
In response to EF

yesterday

I have access-policies in place, as well as filters. But to make it easier on my coworkers, who don't understand access policies and filters, but do understand firewall rules, I'm switching.

0 Kudos

willisthiel074
New Contributor

yesterday

In VOSS 8.10.x, VLAN 4090 is an internal reserved VLAN used specifically to bridge the Management CLIP (Control Plane) to the data plane, but it cannot be used for transit or external firewalling. To achieve your goal, you should terminate your management subnet on a dedicated Management VRF (not GlobalRouter) and route that traffic through your firewall as the gateway.

Explore Happy Rewards
0 Kudos
GTM-P2G8KFN