cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
0
Helpful
0
Replies

Nexus 7009 mgmt0 port

rmv72
Level 1
Level 1

Hi,

i'm trying to restrict access to supervisor module mgmt0 port and follow

http://www.cisco.com/en/US/docs/switches/datacenter/sw/best_practices/cli_mgmt_guide/N7K_CLI_Mgmt_Best_Prac.pdf

Access List

Introduced: Cisco NX-OS Release 4.0(1)

The supervisor module mgmt0 port should be configured with an inbound access list to increase security

by restricting access to specific source host/subnet addresses destined to specific management protocols

configured on the Nexus 7000. The access-list entries will vary depending on the management protocols

that are enabled. Access-list statistics can be tracked per ACL entry if the ACL command

statistics per-entry is configured. The supervisor module CPU performs access-list processing when an

access-list is applied to the mgmt0 port.

n7000(config)#

ip access-list mgmt0-access

n7000(config-acl)#statistics per-entry

n7000(config-acl)# permit tcp x.x.x.x/x b.b.b.b/32 eq 22

n7000(config-acl)# permit udp x.x.x.x/x b.b.b.b/32 eq snmp

n7000(config-acl)# permit tcp x.x.x.x/x b.b.b.b/32 eq tacacs

n7000(config-acl)# permit udp x.x.x.x/x b.b.b.b/32 eq ntp

n7000(config)# interface mgmt0

n7000(config-if)#ip access-group mgmt0-access in

n7000(config-if)#ip address b.b.b.b/x

But i still have warning messages in my log file -

2014 Jan 24 12:55:50 n7k-right %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user Administrator from 10.99.0.222

- sshd[18467]

2014 Jan 24 12:56:01 n7k-right %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user Administrator from 10.99.0.222

- sshd[18469]

IP access list mgmt0-access

        statistics per-entry

        10 deny tcp 10.99.0.222/32 10.88.250.3/32 eq 22 [match=0]

        15 deny tcp 10.99.0.222/32 10.88.250.1/32 eq 22 [match=0]

        20 deny tcp 10.88.0.95/32 10.88.250.3/32 eq 22 [match=0]

        25 deny tcp 10.88.0.95/32 10.88.250.1/32 eq 22 [match=0]

        30 permit tcp any 10.88.250.3/32 eq 22 [match=52536]

interface mgmt0

  ip access-group mgmt0-access in

  ip address 10.88.250.3/24

What do i do incorrect?

Thank you!

Mike

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: