02-23-2023 01:51 AM
We are running ACI 5.2(6e). The Object Store on ACI leaf/spine switches can be accessed via HTTP and HTTPS by default. The Object Store is protected via login form, but we need to disable access completely i.e. stop the switches from listening on HTTP/HTTPS over the out-of-band management network. On IOS devices one would usually disable http/https services, however I did not manage to find out how to do this on ACI leaf/spine switches, or if it is even possible. Can anybody point me in the right direction? Thanks in advance.
Solved! Go to Solution.
03-08-2023 05:51 PM
Hi @i.va ,
I've had a few goes at trying to solve this, but haven't had any luck. I had hoped that going down the path of setting up Configuration Zones might help, but the documentation on this is sketchy, and it seems to only apply to firmware upgrades.
I think if you want to restrict HTTP/HTTPS access to the OOB network you'll have to make sure anyone accessing that network does so via a router/firewall, then use good-old ACLs to restrict the access to the IPs of the ACI Leaf/spine switches.
03-08-2023 05:51 PM
Hi @i.va ,
I've had a few goes at trying to solve this, but haven't had any luck. I had hoped that going down the path of setting up Configuration Zones might help, but the documentation on this is sketchy, and it seems to only apply to firmware upgrades.
I think if you want to restrict HTTP/HTTPS access to the OOB network you'll have to make sure anyone accessing that network does so via a router/firewall, then use good-old ACLs to restrict the access to the IPs of the ACI Leaf/spine switches.
03-08-2023 10:33 PM
Hey...thanks for your input...there is hardly any information on this, so I ended up blocking this via firewall. Hopefully we will have some more options for hardening in future releases.
10-19-2023 09:55 PM
we never use the Object Store on ACI leaf/spine switches so it would be wise not to expose it if possible. Cisco needs to fix this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide