Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
0
Helpful
3
Replies

Disable IP source routing on ACI fabric

Scott Robertson
Level 1
Level 1

‎12-12-2016 09:08 AM - edited ‎03-01-2019 05:06 AM

hello, 

We have security auditors combing through our ACI fabric configuration . They want us to demonstrate that IP source routing is disabled. 

Anyone know a command or  configuration to demonstrate to auditors this is turned off in the ACI Fabric? 

Thank you 

Labels:
0 Helpful
3 Replies 3

Robert Burns
Cisco Employee
Cisco Employee

‎12-12-2016 09:47 AM

If you're trying to show that Unicast routing is disabled, this would be on a per-BD basis.

You can use this moquery command on any APIC CLI to check this out:

moquery -c fvBD | egrep 'dn|unicastRoute'

Robert

0 Helpful

Joseph Young
Cisco Employee
Cisco Employee

‎12-12-2016 10:10 AM

I'm not aware of a command that would demonstrate source routing is disabled however I did just verify in the lab that 'disabled' appears to be the default behavior.

What I did to test in the lab was to use an extended ping on an external router and set the source-routing flag by using the 'Loose' option.

Nexus-box# ping
Vrf context to use [default] :MCAST
Target IP address or Hostname: 106.106.106.106
Repeat count [5] :
Datagram size [56] :
Timeout in seconds [2] :
Sending interval in seconds [0] :
Extended commands [no] : yes
Source address or interface :
Data pattern [0xabcd] :
Type of service [0] :
Set DF bit in IP header [no] :
Time to live [255] :
Loose, Strict, Record, Timestamp, Verbose [None] : Loose
Source route: 2.2.2.1 ***Set this to your next hop on the connected subnet that your route to destination points to
Loose, Strict, Record, Timestamp, Verbose [L] :
Sweep range of sizes [no] :
Sending 5, 56-bytes ICMP Echos to 106.106.106.106
Timeout is 2 seconds, data pattern is 0xABCD

.....
--- 106.106.106.106 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss

0 Helpful

scottrobertson2ctr
Level 1
Level 1

‎12-13-2016 10:12 AM

Thanks for the replies !

I have demonstrated that IP source routing is not working using ping -j command . In normal IOS I can disable and demonstrate this configuration using " no IP source routing " and was looking for an equivalent configuration command for ACI.

As a newbie to ACI not sure it would/could  even apply in the ACI environment. 

Regards 

Scott

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License