Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nexus 7009 mgmt0 port

Hi,

i'm trying to restrict access to supervisor module mgmt0 port and follow

http://www.cisco.com/en/US/docs/switches/datacenter/sw/best_practices/cli_mgmt_guide/N7K_CLI_Mgmt_Best_Prac.pdf

Access List

Introduced: Cisco NX-OS Release 4.0(1)

The supervisor module mgmt0 port should be configured with an inbound access list to increase security

by restricting access to specific source host/subnet addresses destined to specific management protocols

configured on the Nexus 7000. The access-list entries will vary depending on the management protocols

that are enabled. Access-list statistics can be tracked per ACL entry if the ACL command

statistics per-entry is configured. The supervisor module CPU performs access-list processing when an

access-list is applied to the mgmt0 port.

n7000(config)#

ip access-list mgmt0-access

n7000(config-acl)#statistics per-entry

n7000(config-acl)# permit tcp x.x.x.x/x b.b.b.b/32 eq 22

n7000(config-acl)# permit udp x.x.x.x/x b.b.b.b/32 eq snmp

n7000(config-acl)# permit tcp x.x.x.x/x b.b.b.b/32 eq tacacs

n7000(config-acl)# permit udp x.x.x.x/x b.b.b.b/32 eq ntp

n7000(config)# interface mgmt0

n7000(config-if)#ip access-group mgmt0-access in

n7000(config-if)#ip address b.b.b.b/x

But i still have warning messages in my log file -

2014 Jan 24 12:55:50 n7k-right %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user Administrator from 10.99.0.222

- sshd[18467]

2014 Jan 24 12:56:01 n7k-right %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user Administrator from 10.99.0.222

- sshd[18469]

IP access list mgmt0-access

        statistics per-entry

        10 deny tcp 10.99.0.222/32 10.88.250.3/32 eq 22 [match=0]

        15 deny tcp 10.99.0.222/32 10.88.250.1/32 eq 22 [match=0]

        20 deny tcp 10.88.0.95/32 10.88.250.3/32 eq 22 [match=0]

        25 deny tcp 10.88.0.95/32 10.88.250.1/32 eq 22 [match=0]

        30 permit tcp any 10.88.250.3/32 eq 22 [match=52536]

interface mgmt0

  ip access-group mgmt0-access in

  ip address 10.88.250.3/24

What do i do incorrect?

Thank you!

Mike

Everyone's tags (1)
175
Views
0
Helpful
0
Replies