Could anyone comment on whether the capability exists to configure an ACL that protects management access, restricting access to certain source subnets? I want to use inband mgmt access (interface vlan feature)but limit the access by IP. ACLs seem to be only configurable on a per port basis or VLAN mapped basis, not on the VLAN Interface or Line VTY. Thanks in advance to anyone who offers a comment!
WLCs have a âsession levelâ access control for management protocols. It is important to understand how they work in order to prevent incorrect assessment on what is allowed or not allowed by the controller.
The commands to restrict what management protocols are allowed are (on a global scope)
for more information please follow up on this link:
Thanks for taking the time for the above post. However my question has to do with the Nexus 5020 switch not the wireless controllers.
I understand what you're seeing, and I don't have a solution for you. I will explain what workarounds I enncoutered on the 7K series, though.
The 7K comes stock with a relatively lengthy "Control-Plane Policing" series of ACLs. This is written to rate limit various types of traffic destined to the control plane, in an effort to keep the box up even during a DoS.
However, it's not possible to write an ACL surrounding the VTY or SNMP strings any more. As a result, you're now forced to use the CoPP as a way to protect the in-band network management protocols. I wrote a class map to permit traffic from my management network, and drop it from everything else- and then I applied that to the control plane.
In addition, I created a new ACL and wrapped it around my Mgmt0, allowing only certain protocols, addresses, etc etc.
The point being: NX-OS has scrapped the concept of ACLs on the VTYs, and replaced it with a different mechanism. I can see how this feature set shaped NX-OS, but this doesn't apply as such to the 5K, so it doesn't fit quite right. (and is unavailable.)
As such, I plan on just using the mgmt0 port (with an ACL around it) and not putting IP addresses on the VLANs of the 5k. (it doesn't buy you much, since it's a L2 device anyways.) Note that the mgmt VLAN is a totally separate vrf, so you can really plug one of the VLANs that's flowing through the box anyways- you just need a separate cat 5 run to make this happen.
Thanks Nate for taking the time to reply!
I appreciate your comments confirming that the method for protecting mgmt access to the box has changed. We'll have to rethink how we're going to do that.
MGMT0 ACLs are actually not available at this time either, but will be available by the second 4.1(3) release.
Please watch CSCsq20638 for more details on VTY ACLs.
You can probably do this with a VACL. It would look something like the following:
ip access-list ALLOW-MGT
5 deny icmp 188.8.131.52/32 any
6 deny tcp 184.108.40.206/32 gt 1023 any eq 22
30 permit ip any any
vlan access-map ALLOW-MGT
match ip address ALLOW-MGT
vlan filter ALLOW-MGT vlan-list 101