Nexus 5000 - Securing MGMT Access

Unanswered Question
Apr 3rd, 2009

Could anyone comment on whether the capability exists to configure an ACL that protects management access, restricting access to certain source subnets? I want to use inband mgmt access (interface vlan feature)but limit the access by IP. ACLs seem to be only configurable on a per port basis or VLAN mapped basis, not on the VLAN Interface or Line VTY. Thanks in advance to anyone who offers a comment!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
htarra Thu, 04/09/2009 - 12:18

WLCs have a “session level” access control for management protocols. It is important to understand how they work in order to prevent incorrect assessment on what is allowed or not allowed by the controller.

The commands to restrict what management protocols are allowed are (on a global scope)

for more information please follow up on this link:

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a7c988.shtml#t3

spreed Thu, 04/09/2009 - 14:31

Thanks for taking the time for the above post. However my question has to do with the Nexus 5020 switch not the wireless controllers.

nate-miller Fri, 05/01/2009 - 11:41

I understand what you're seeing, and I don't have a solution for you. I will explain what workarounds I enncoutered on the 7K series, though.

The 7K comes stock with a relatively lengthy "Control-Plane Policing" series of ACLs. This is written to rate limit various types of traffic destined to the control plane, in an effort to keep the box up even during a DoS.

However, it's not possible to write an ACL surrounding the VTY or SNMP strings any more. As a result, you're now forced to use the CoPP as a way to protect the in-band network management protocols. I wrote a class map to permit traffic from my management network, and drop it from everything else- and then I applied that to the control plane.

In addition, I created a new ACL and wrapped it around my Mgmt0, allowing only certain protocols, addresses, etc etc.

The point being: NX-OS has scrapped the concept of ACLs on the VTYs, and replaced it with a different mechanism. I can see how this feature set shaped NX-OS, but this doesn't apply as such to the 5K, so it doesn't fit quite right. (and is unavailable.)

As such, I plan on just using the mgmt0 port (with an ACL around it) and not putting IP addresses on the VLANs of the 5k. (it doesn't buy you much, since it's a L2 device anyways.) Note that the mgmt VLAN is a totally separate vrf, so you can really plug one of the VLANs that's flowing through the box anyways- you just need a separate cat 5 run to make this happen.

spreed Fri, 05/01/2009 - 13:56

Thanks Nate for taking the time to reply!

I appreciate your comments confirming that the method for protecting mgmt access to the box has changed. We'll have to rethink how we're going to do that.

Thanks again.

Simon

johgill Tue, 07/07/2009 - 06:42

MGMT0 ACLs are actually not available at this time either, but will be available by the second 4.1(3) release.

Please watch CSCsq20638 for more details on VTY ACLs.

walleyewiz Thu, 10/08/2009 - 10:01

You can probably do this with a VACL. It would look something like the following:

ip access-list ALLOW-MGT

5 deny icmp 1.1.1.1/32 any

6 deny tcp 2.2.2.2/32 gt 1023 any eq 22

30 permit ip any any

vlan access-map ALLOW-MGT

match ip address ALLOW-MGT

action forward

statistics

vlan filter ALLOW-MGT vlan-list 101

pzpgd1mlf Sun, 03/07/2010 - 17:05

I have not found any other alternative so far. Dealing with Nexus 5010 running release 4.1(3)N2(1a).

johgill Tue, 07/27/2010 - 15:20

Hi Adam,

[edit] This is fixed in 4.1(3)N2(1) with defect CSCta26533.  It is also available in 4.2(1)N1(1).  I just tested this to verify, I was confused earlier as to what version my switches were running.

Here's an exmaple in 4.2(1)N1(1):

Nexus5010(config)# conf t
Nexus5010(config)# ip access-list someACL

Nexus5010(config-acl)# deny ip 192.168.0.0/16 any                      
Nexus5010(config-acl)# permit ip any any
Nexus5010(config-acl)# int mgmt0
Nexus5010(config-if)# ip access-group someACL in

Nexus5010(config-if)# exit

Nexus5010# sh ip access-lists summary
IPV4 ACL someACL
        Total ACEs Configured: 2
        Configured on interfaces:
                mgmt0 - ingress (Router ACL)
        Active on interfaces:
                mgmt0 - ingress (Router ACL)

Also, CSCsq20638 will allow you to put an ACL on VTY lines.  CSCsq20638 slipped the target release since my first answer, but is now committed to the 5.0 train for the Nexus 7000.


When the Nexus 5000 picks up this enhancement sometime in Q4 of 2010.  I can't be specific about a release date since it's under active development, but it should be called 5.0(2)N1(1)


Regarding a VACL, that will work for inband management (SVI / VLAN interface), but not for those managing via MGMT0.


Regards,
John Gill

Message was edited by: johgill

Actions

This Discussion