Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Nexus 5000 - Securing MGMT Access

Could anyone comment on whether the capability exists to configure an ACL that protects management access, restricting access to certain source subnets? I want to use inband mgmt access (interface vlan feature)but limit the access by IP. ACLs seem to be only configurable on a per port basis or VLAN mapped basis, not on the VLAN Interface or Line VTY. Thanks in advance to anyone who offers a comment!

  • Server Networking
10 REPLIES
Bronze

Re: Nexus 5000 - Securing MGMT Access

WLCs have a “session level” access control for management protocols. It is important to understand how they work in order to prevent incorrect assessment on what is allowed or not allowed by the controller.

The commands to restrict what management protocols are allowed are (on a global scope)

for more information please follow up on this link:

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a7c988.shtml#t3

New Member

Re: Nexus 5000 - Securing MGMT Access

Thanks for taking the time for the above post. However my question has to do with the Nexus 5020 switch not the wireless controllers.

Bronze

Re: Nexus 5000 - Securing MGMT Access

I understand what you're seeing, and I don't have a solution for you. I will explain what workarounds I enncoutered on the 7K series, though.

The 7K comes stock with a relatively lengthy "Control-Plane Policing" series of ACLs. This is written to rate limit various types of traffic destined to the control plane, in an effort to keep the box up even during a DoS.

However, it's not possible to write an ACL surrounding the VTY or SNMP strings any more. As a result, you're now forced to use the CoPP as a way to protect the in-band network management protocols. I wrote a class map to permit traffic from my management network, and drop it from everything else- and then I applied that to the control plane.

In addition, I created a new ACL and wrapped it around my Mgmt0, allowing only certain protocols, addresses, etc etc.

The point being: NX-OS has scrapped the concept of ACLs on the VTYs, and replaced it with a different mechanism. I can see how this feature set shaped NX-OS, but this doesn't apply as such to the 5K, so it doesn't fit quite right. (and is unavailable.)

As such, I plan on just using the mgmt0 port (with an ACL around it) and not putting IP addresses on the VLANs of the 5k. (it doesn't buy you much, since it's a L2 device anyways.) Note that the mgmt VLAN is a totally separate vrf, so you can really plug one of the VLANs that's flowing through the box anyways- you just need a separate cat 5 run to make this happen.

New Member

Re: Nexus 5000 - Securing MGMT Access

Thanks Nate for taking the time to reply!

I appreciate your comments confirming that the method for protecting mgmt access to the box has changed. We'll have to rethink how we're going to do that.

Thanks again.

Simon

New Member

Re: Nexus 5000 - Securing MGMT Access

MGMT0 ACLs are actually not available at this time either, but will be available by the second 4.1(3) release.

Please watch CSCsq20638 for more details on VTY ACLs.

New Member

Re: Nexus 5000 - Securing MGMT Access

You can probably do this with a VACL. It would look something like the following:

ip access-list ALLOW-MGT

5 deny icmp 1.1.1.1/32 any

6 deny tcp 2.2.2.2/32 gt 1023 any eq 22

30 permit ip any any

vlan access-map ALLOW-MGT

match ip address ALLOW-MGT

action forward

statistics

vlan filter ALLOW-MGT vlan-list 101

New Member

Re: Nexus 5000 - Securing MGMT Access

I have not found any other alternative so far. Dealing with Nexus 5010 running release 4.1(3)N2(1a).

New Member

Re: Nexus 5000 - Securing MGMT Access

has anyone found a solution in the new 4.2. code?

Bronze

Re: Nexus 5000 - Securing MGMT Access

VACL is what I'm using currently.  That's all I've found out.

2786
Views
9
Helpful
10
Replies
This widget could not be displayed.