• Restricting access to the switch

 
 
Print Friendly, PDF & Email

In this article we demonstrate how you can enable your Arista switch to restrict access to various network services. By default, Arista EOS implements a control-plane ACL to restrict the packets going to the CPU.  This is done for security purposes, but in its default configuration is very permissive.  As such, it is recommended that the sources which can access the switch be restricted using the methods described below. To view the default ACL issue the following command:

Arista#sh ip access-lists default-control-plane-acl
IP Access List default-control-plane-acl [readonly]
statistics per-entry
10 permit icmp any any [match 4, 11 days, 20:46:23 ago]
20 permit ip any any tracked [match 27164, 0:00:00 ago]
30 permit udp any any eq bfd ttl eq 255 [match 6470727, 0:00:00 ago]
40 permit ospf any any
50 permit tcp any any eq ssh telnet www snmp bgp https msdp [match 5, 0:00:29 ago]
60 permit udp any any eq bootps bootpc snmp rip ntp [match 40569, 4 days, 1:14:37 ago]
70 permit tcp any any eq mlag ttl eq 255
80 permit udp any any eq mlag ttl eq 255
90 permit vrrp any any
100 permit ahp any any
110 permit pim any any [match 192978, 0:00:00 ago]
120 permit igmp any any [match 108324, 0:00:09 ago]
130 permit tcp any any range 5900 5910
140 permit tcp any any range 50000 50100
150 permit udp any any range 51000 51100

All traffic except that which is specified in the default ACL will be dropped when trying to reach the CPU, due to the implicit deny rule  (added by default at the end of every ACL). If you want to restrict or allow packets to the control-plane, complete the following configuration steps:

Step 1: Create a modified ACL. The default control-plane ACL that protects the CPU is read-only and cannot be modified. Even if that was not the case, common practice is to create a new ACL; this way, if the default ACL needs to be restored, it remains easily accessible and can be reverted to quickly.

First create a new ACL with all of the rules from the default ACL (with a few modifications) and some additional rules to restrict access based on your operational needs. In this example we want to restrict Web, HTTPS, SSH, bootps, bootpc, and SNMP access to a specific host (192.168.3.10) and subnet (192.169.10.0/24) where the customer’s management hosts resides.

Arista#sh ip access-lists restrict-access
IP Access List restrict-access
10 permit icmp any any
20 permit ip any any tracked [match 1452, 0:00:00 ago]
30 permit udp any any eq bfd ttl eq 255
40 permit ospf any any
50 permit tcp any any eq bgp msdp
60 remark deleted open udp service rule 
70 permit tcp any any eq mlag ttl eq 255
80 permit udp any any eq mlag ttl eq 25
90 permit vrrp any any
100 permit ahp any any
110 permit pim any any
120 permit igmp any any
130 permit tcp any any range 5900 5910
140 permit tcp any any range 50000 50100
150 permit tcp any any range 51000 51100
160 remark restrict Web, HTTPS, SNMP, bootps, bootpc, ntp and SSH to specific IP address
170 permit tcp host 192.168.3.10 any eq web https ssh 
180 permit udp host 192.168.3.10 any eq snmp bootps bootpc ntp
190 permit tcp 192.168.10.0/24 any eq web https ssh 
200 permit udp 192.168.10.0/24 any eq snmp bootps bootpc ntp

Lines in red above denote the lines modified / added with respect to the default control-plane ACL.

Step 2: Apply the ACL  to the control-plane – this will replace the default control-plane ACL and restrict / allow access based on the new ACL configuration.

Arista(config)#control-plane
Arista(config-cp)#ip access-group restrict-access in

The switch is now configured to only accept management traffic from host 192.168.3.10 and subnet 192.169.10.0/24.

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: