• Restricting SSH Access to Arista APs

 
 
Print Friendly, PDF & Email

Introduction

This article describes the steps to restrict SSH access to Arista APs. Administrator can allow only specific IP addresses that can connect via SSH to the Arista AP’s Management IP address.

Prerequisites

  • AP on firmware version 8.2.1HF1 version or later
  • Administrator access to Wireless Manager

Solution

Enable SSH IP Whitelisting

The Enable SSH IP Whitelisting option in the Device Template on Wireless Manager is unchecked by default. An administrator can enforce SSH access from specific IP addresses by checking this option. Only IP addresses that match the specified criteria will be able to SSH to the AP.

If this option is checked, you must provide at least one IP address and wildcard mask. A maximum of 20 such entries can be made. SSH access to the communication IP address of the AP is enabled only from the IP addresses that match the IP address and wildcard mask criteria.

The wildcard mask is a mask of bits that helps identify the parts of the IP address that must match and the parts that can be ignored. The binary equivalent of the IP address and wildcard mask is used for examining the bits that must match. Wildcard mask acts as an inverted subnet mask, i.e, the zero bits in the mask indicate that the corresponding bit position in the IP addresses must match. The one bits indicate that the corresponding bit position doesn’t have to match.

For example, if the IP address is 10.10.0.0 and the mask is 0.0.0.255 then the IP addresses 10.10.0.0 through 10.10.0.255 will be allowed. However, if the mask is 0.0.1.255 then the IP address 10.10.0.0 through 10.10.0.255 and 10.10.1.0 through 10.10.1.255 will be allowed.

Adding/Removing IP addresses

Check the Enable SSH IP Whitelisting option under Device Settings >>Network Settings of the Device Template>>Enable SSH IP Whitelisting.

Add the respective IP address and the corresponding Wild Card mask for the Client to which the access is to be provided and click on Add.

The IP address and wildcard mask is listed in the table. Only clients that have IP addresses that match the criteria based on an IP address and corresponding wildcard mask in the table can SSH to the AP on which the Device Template is applied.

To remove an IP address and corresponding wildcard mask, select the IP address row in the table and click the delete icon (trash can) at the bottom of the table.

Note:

  • This feature is not supported on the C-10 platform.
  • Restriction based on IPv6 address is not supported.
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: