In this article we demonstrate how you can enable your Arista switch to restrict access to various network services. By default, Arista EOS implements a control-plane ACL to restrict the packets going to the CPU. This is done for security purposes, but in its default configuration is very permissive. As such, it is recommended that the sources which can access the switch be restricted using the methods described below. To view the default ACL issue the following command:
Arista#sh ip access-lists default-control-plane-acl IP Access List default-control-plane-acl [readonly] statistics per-entry 10 permit icmp any any [match 4, 11 days, 20:46:23 ago] 20 permit ip any any tracked [match 27164, 0:00:00 ago] 30 permit udp any any eq bfd ttl eq 255 [match 6470727, 0:00:00 ago] 40 permit ospf any any 50 permit tcp any any eq ssh telnet www snmp bgp https msdp [match 5, 0:00:29 ago] 60 permit udp any any eq bootps bootpc snmp rip ntp [match 40569, 4 days, 1:14:37 ago] 70 permit tcp any any eq mlag ttl eq 255 80 permit udp any any eq mlag ttl eq 255 90 permit vrrp any any 100 permit ahp any any 110 permit pim any any [match 192978, 0:00:00 ago] 120 permit igmp any any [match 108324, 0:00:09 ago] 130 permit tcp any any range 5900 5910 140 permit tcp any any range 50000 50100 150 permit udp any any range 51000 51100
All traffic except that which is specified in the default ACL will be dropped when trying to reach the CPU, due to the implicit deny rule (added by default at the end of every ACL). If you want to restrict or allow packets to the control-plane, complete the following configuration steps:
Step 1: Create a modified ACL. The default control-plane ACL that protects the CPU is read-only and cannot be modified. Even if that was not the case, common practice is to create a new ACL; this way, if the default ACL needs to be restored, it remains easily accessible and can be reverted to quickly.
First create a new ACL with all of the rules from the default ACL (with a few modifications) and some additional rules to restrict access based on your operational needs. In this example we want to restrict Web, HTTPS, SSH, bootps, bootpc, and SNMP access to a specific host (192.168.3.10) and subnet (126.96.36.199/24) where the customer’s management hosts resides.
Arista#sh ip access-lists restrict-access IP Access List restrict-access 10 permit icmp any any 20 permit ip any any tracked [match 1452, 0:00:00 ago] 30 permit udp any any eq bfd ttl eq 255 40 permit ospf any any 50 permit tcp any any eq bgp msdp 60 remark deleted open udp service rule 70 permit tcp any any eq mlag ttl eq 255 80 permit udp any any eq mlag ttl eq 25 90 permit vrrp any any 100 permit ahp any any 110 permit pim any any 120 permit igmp any any 130 permit tcp any any range 5900 5910 140 permit tcp any any range 50000 50100 150 permit tcp any any range 51000 51100 160 remark restrict Web, HTTPS, SNMP, bootps, bootpc, ntp and SSH to specific IP address 170 permit tcp host 192.168.3.10 any eq web https ssh 180 permit udp host 192.168.3.10 any eq snmp bootps bootpc ntp 190 permit tcp 192.168.10.0/24 any eq web https ssh 200 permit udp 192.168.10.0/24 any eq snmp bootps bootpc ntp
Lines in red above denote the lines modified / added with respect to the default control-plane ACL.
Step 2: Apply the ACL to the control-plane – this will replace the default control-plane ACL and restrict / allow access based on the new ACL configuration.
Arista(config)#control-plane Arista(config-cp)#ip access-group restrict-access in
The switch is now configured to only accept management traffic from host 192.168.3.10 and subnet 188.8.131.52/24.