12-12-2016 09:08 AM - edited 03-01-2019 05:06 AM
hello,
We have security auditors combing through our ACI fabric configuration . They want us to demonstrate that IP source routing is disabled.
Anyone know a command or configuration to demonstrate to auditors this is turned off in the ACI Fabric?
Thank you
12-12-2016 09:47 AM
If you're trying to show that Unicast routing is disabled, this would be on a per-BD basis.
You can use this moquery command on any APIC CLI to check this out:
moquery -c fvBD | egrep 'dn|unicastRoute'
Robert
12-12-2016 10:10 AM
I'm not aware of a command that would demonstrate source routing is disabled however I did just verify in the lab that 'disabled' appears to be the default behavior.
What I did to test in the lab was to use an extended ping on an external router and set the source-routing flag by using the 'Loose' option.
Nexus-box# ping
Vrf context to use [default] :MCAST
Target IP address or Hostname: 106.106.106.106
Repeat count [5] :
Datagram size [56] :
Timeout in seconds [2] :
Sending interval in seconds [0] :
Extended commands [no] : yes
Source address or interface :
Data pattern [0xabcd] :
Type of service [0] :
Set DF bit in IP header [no] :
Time to live [255] :
Loose, Strict, Record, Timestamp, Verbose [None] : Loose
Source route: 2.2.2.1 ***Set this to your next hop on the connected subnet that your route to destination points to
Loose, Strict, Record, Timestamp, Verbose [L] :
Sweep range of sizes [no] :
Sending 5, 56-bytes ICMP Echos to 106.106.106.106
Timeout is 2 seconds, data pattern is 0xABCD
.....
--- 106.106.106.106 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss
12-13-2016 10:12 AM
Thanks for the replies !
I have demonstrated that IP source routing is not working using ping -j command . In normal IOS I can disable and demonstrate this configuration using " no IP source routing " and was looking for an equivalent configuration command for ACI.
As a newbie to ACI not sure it would/could even apply in the ACI environment.
Regards
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide