Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
3
Replies

[N5K] in-band management issue

MichaelSchoen
Level 1
Level 1

‎03-14-2014 12:36 AM - edited ‎03-07-2019 06:42 PM

Hi there,

Due to security guidelines we only want to use the mgmt0-Interface as EOOB for managament traffic (ssh, ntp, snmp, aaa, ...).

So, based on NX-OS config/command ref.-guides in-band management access has to be explicitly enabled by using the 'management' keyword during SVI configuration, 'no management' is the interface default.

We thought this would be a pretty cool feature, because it secures the management plane to be accessed from produktion vlans, without using ACL.

 

But, surprisingly we were able to ssh to an produktion SVI on an N5K running 6.0.2n24 during a lab-session yesterday!

 

Is this only a software bug in the current release oder are we missing something?

(I had no chance the check against our N7K yet)

 

TIA,

Michael

 

 

Labels:
0 Helpful
3 Replies 3

sean_evershed
Level 7
Level 7

‎03-14-2014 01:07 AM

I don't think that it is a bug.

The NX-OS guide states that, "having different SVIs for routing and management separates data traffic from management traffic, which can reduce competition for routing resources."

It doesn't state anything about securing the management plane.

Therefore if the management VLAN is being advertised in your routing table, then anyone can SSH to it.

0 Helpful

MichaelSchoen
Level 1
Level 1
In response to sean_evershed

‎03-14-2014 01:54 AM

Thanks for your reply, Sean. We don't want a management vlan at all. All management traffic is directed to the mgmt0-Interface using a separate EOOB-Network. So what is the purpose of the 'management' keyword in the interface configmode if not disabling managemant access via SVI?
0 Helpful

sean_evershed
Level 7
Level 7
In response to MichaelSchoen

‎03-14-2014 03:52 AM

The guide goes on to state that, "although the CLI does not prevent you from configuring routing protocols on a management SVI, we recommend that you do not configure them on management SVIs."

It seems to me that this management VLAN feature gives you the option of configuring a management VRF without the need for purchasing an OSI Layer 3 license for the N5K.

Don't forget to rate all helpful posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card