Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[N5K] in-band management issue

Hi there,

Due to security guidelines we only want to use the mgmt0-Interface as EOOB for managament traffic (ssh, ntp, snmp, aaa, ...).

So, based on NX-OS config/command ref.-guides in-band management access has to be explicitly enabled by using the 'management' keyword during SVI configuration, 'no management' is the interface default.

We thought this would be a pretty cool feature, because it secures the management plane to be accessed from produktion vlans, without using ACL.

 

But, surprisingly we were able to ssh to an produktion SVI on an N5K running 6.0.2n24 during a lab-session yesterday!

 

Is this only a software bug in the current release oder are we missing something?

(I had no chance the check against our N7K yet)

 

TIA,

Michael

 

 

3 REPLIES

I don't think that it is a

I don't think that it is a bug.

The NX-OS guide states that, "having different SVIs for routing and management separates data traffic from management traffic, which can reduce competition for routing resources."

It doesn't state anything about securing the management plane.

Therefore if the management VLAN is being advertised in your routing table, then anyone can SSH to it.

New Member

Thanks for your reply, Sean.

Thanks for your reply, Sean. We don't want a management vlan at all. All management traffic is directed to the mgmt0-Interface using a separate EOOB-Network. So what is the purpose of the 'management' keyword in the interface configmode if not disabling managemant access via SVI?

The guide goes on to state

The guide goes on to state that, "although the CLI does not prevent you from configuring routing protocols on a management SVI, we recommend that you do not configure them on management SVIs."

It seems to me that this management VLAN feature gives you the option of configuring a management VRF without the need for purchasing an OSI Layer 3 license for the N5K.

Don't forget to rate all helpful posts.

43
Views
0
Helpful
3
Replies