Hi,
i'm trying to restrict access to supervisor module mgmt0 port and follow
http://www.cisco.com/en/US/docs/switches/datacenter/sw/best_practices/cli_mgmt_guide/N7K_CLI_Mgmt_Best_Prac.pdf
Access List
Introduced: Cisco NX-OS Release 4.0(1)
The supervisor module mgmt0 port should be configured with an inbound access list to increase security
by restricting access to specific source host/subnet addresses destined to specific management protocols
configured on the Nexus 7000. The access-list entries will vary depending on the management protocols
that are enabled. Access-list statistics can be tracked per ACL entry if the ACL command
statistics per-entry is configured. The supervisor module CPU performs access-list processing when an
access-list is applied to the mgmt0 port.
n7000(config)#
ip access-list mgmt0-access
n7000(config-acl)#statistics per-entry
n7000(config-acl)# permit tcp x.x.x.x/x b.b.b.b/32 eq 22
n7000(config-acl)# permit udp x.x.x.x/x b.b.b.b/32 eq snmp
n7000(config-acl)# permit tcp x.x.x.x/x b.b.b.b/32 eq tacacs
n7000(config-acl)# permit udp x.x.x.x/x b.b.b.b/32 eq ntp
n7000(config)# interface mgmt0
n7000(config-if)#ip access-group mgmt0-access in
n7000(config-if)#ip address b.b.b.b/x
But i still have warning messages in my log file -
2014 Jan 24 12:55:50 n7k-right %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user Administrator from 10.99.0.222
- sshd[18467]
2014 Jan 24 12:56:01 n7k-right %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user Administrator from 10.99.0.222
- sshd[18469]
IP access list mgmt0-access
statistics per-entry
10 deny tcp 10.99.0.222/32 10.88.250.3/32 eq 22 [match=0]
15 deny tcp 10.99.0.222/32 10.88.250.1/32 eq 22 [match=0]
20 deny tcp 10.88.0.95/32 10.88.250.3/32 eq 22 [match=0]
25 deny tcp 10.88.0.95/32 10.88.250.1/32 eq 22 [match=0]
30 permit tcp any 10.88.250.3/32 eq 22 [match=52536]
interface mgmt0
ip access-group mgmt0-access in
ip address 10.88.250.3/24
What do i do incorrect?
Thank you!
Mike