cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3991
Views
9
Helpful
10
Replies

Nexus 5000 - Securing MGMT Access

spreed
Level 4
Level 4

Could anyone comment on whether the capability exists to configure an ACL that protects management access, restricting access to certain source subnets? I want to use inband mgmt access (interface vlan feature)but limit the access by IP. ACLs seem to be only configurable on a per port basis or VLAN mapped basis, not on the VLAN Interface or Line VTY. Thanks in advance to anyone who offers a comment!

10 Replies 10

htarra
Level 4
Level 4

WLCs have a “session level” access control for management protocols. It is important to understand how they work in order to prevent incorrect assessment on what is allowed or not allowed by the controller.

The commands to restrict what management protocols are allowed are (on a global scope)

for more information please follow up on this link:

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a7c988.shtml#t3

Thanks for taking the time for the above post. However my question has to do with the Nexus 5020 switch not the wireless controllers.

I understand what you're seeing, and I don't have a solution for you. I will explain what workarounds I enncoutered on the 7K series, though.

The 7K comes stock with a relatively lengthy "Control-Plane Policing" series of ACLs. This is written to rate limit various types of traffic destined to the control plane, in an effort to keep the box up even during a DoS.

However, it's not possible to write an ACL surrounding the VTY or SNMP strings any more. As a result, you're now forced to use the CoPP as a way to protect the in-band network management protocols. I wrote a class map to permit traffic from my management network, and drop it from everything else- and then I applied that to the control plane.

In addition, I created a new ACL and wrapped it around my Mgmt0, allowing only certain protocols, addresses, etc etc.

The point being: NX-OS has scrapped the concept of ACLs on the VTYs, and replaced it with a different mechanism. I can see how this feature set shaped NX-OS, but this doesn't apply as such to the 5K, so it doesn't fit quite right. (and is unavailable.)

As such, I plan on just using the mgmt0 port (with an ACL around it) and not putting IP addresses on the VLANs of the 5k. (it doesn't buy you much, since it's a L2 device anyways.) Note that the mgmt VLAN is a totally separate vrf, so you can really plug one of the VLANs that's flowing through the box anyways- you just need a separate cat 5 run to make this happen.

Thanks Nate for taking the time to reply!

I appreciate your comments confirming that the method for protecting mgmt access to the box has changed. We'll have to rethink how we're going to do that.

Thanks again.

Simon

MGMT0 ACLs are actually not available at this time either, but will be available by the second 4.1(3) release.

Please watch CSCsq20638 for more details on VTY ACLs.

You can probably do this with a VACL. It would look something like the following:

ip access-list ALLOW-MGT

5 deny icmp 1.1.1.1/32 any

6 deny tcp 2.2.2.2/32 gt 1023 any eq 22

30 permit ip any any

vlan access-map ALLOW-MGT

match ip address ALLOW-MGT

action forward

statistics

vlan filter ALLOW-MGT vlan-list 101

I have not found any other alternative so far. Dealing with Nexus 5010 running release 4.1(3)N2(1a).

has anyone found a solution in the new 4.2. code?

VACL is what I'm using currently.  That's all I've found out.

Hi Adam,

[edit] This is fixed in 4.1(3)N2(1) with defect CSCta26533.  It is also available in 4.2(1)N1(1).  I just tested this to verify, I was confused earlier as to what version my switches were running.

Here's an exmaple in 4.2(1)N1(1):

Nexus5010(config)# conf t
Nexus5010(config)# ip access-list someACL

Nexus5010(config-acl)# deny ip 192.168.0.0/16 any                      
Nexus5010(config-acl)# permit ip any any
Nexus5010(config-acl)# int mgmt0
Nexus5010(config-if)# ip access-group someACL in

Nexus5010(config-if)# exit

Nexus5010# sh ip access-lists summary
IPV4 ACL someACL
        Total ACEs Configured: 2
        Configured on interfaces:
                mgmt0 - ingress (Router ACL)
        Active on interfaces:
                mgmt0 - ingress (Router ACL)

Also, CSCsq20638 will allow you to put an ACL on VTY lines.  CSCsq20638 slipped the target release since my first answer, but is now committed to the 5.0 train for the Nexus 7000.


When the Nexus 5000 picks up this enhancement sometime in Q4 of 2010.  I can't be specific about a release date since it's under active development, but it should be called 5.0(2)N1(1)


Regarding a VACL, that will work for inband management (SVI / VLAN interface), but not for those managing via MGMT0.


Regards,
John Gill

Message was edited by: johgill

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: