Hopefully this is an easy question but I am having a heck of a time finding an answer.
We have multiple CSS 11500 clusters. We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client. This happens regardless of whether there is something on that IP address or not.
10.1.1.0/24 --- CSS --- 10.2.2.0/24
Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection. I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.
Is there any way to shut this off? This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.
The only thing that comes to mind is that you have a content rule VIP with a broad mask configured, without port and it has at least one active service configured on it, just to make sure can you attached your configuration so we can take a quick look?
Thanks for your reply and I apologize for not responding sooner - I've been out on vacation.
There is no mask configured under content rules.
Also, we have a very large environment and have 5 different sets of CSS content switches. Every single one behaves in this manner so if this were a configuration error, it would have to have been made on every set of content switches.
You should be able to set up ACLs (on the CSS) such that only traffic destined for defined back end servers is allowed to be passed through the CSS. See this reference.
Be careful to note the "apply" convention used with ACLs in CSS software. It's a bit different from normal Cisco ACLs you may be familiar with. The guide covers it but unless you've done it a couple times, it takes some getting used to.
Why do you need native HA: The native HA feature allows two Cisco DCNM
appliances to run as active and standby applications, with their
embedded databases synchronized in real time. Therefore, when the active
DCNM is not functioning, the standby DCNM will...
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...