06-28-2022 12:14 PM
Hello
We have configured oob address for our apic and leaf+spine,
Is there a way to block ssh traffic from outside to leaf and spine while connection to apic is still allowed?
Regards
Solved! Go to Solution.
06-29-2022 12:05 AM
Hi @Adhiputra ,
Ok. Then that makes sense now - if you go through the APIC you avoid the problem!
So I guess the only answer is to add an ACL on the OOB default gw router - i.e. do the filtering BEFORE traffic gets to ACI.
The OOB EPG is a special EPG in the mgmt tenant, and doesn't have all the features of a normal EPG (no micro-sementation for instance) so I don't see a way of filtering the traffic within ACI
06-28-2022 03:22 PM
Hi @Adhiputra ,
I fail to see the point of blocking ssh traffic from outside to Leaf/Spine while leaving access to the APIC, because you will NEVER be able to stop someone from:
IF you succeed in your design, you are just forcing one more step to get the ssh session to the Leaf/Spine, NOT preventing all access
So my advice is: Don't even try to stop ssh traffic to OOB Leaf/Spine addresses.
I hope this helps.
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem.
06-28-2022 09:52 PM
Hello Chris
Thanks for replying
The reason for this is because we found that, on ACI version that we are using, ssh hmac-sha1 cannot be disabled on SPINE and LEAF , even tough we have removed it on fabric policy
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu80658
because it doesn't comply with our client security policies
I was thinking to block or disable ssh as a temporary workaround as we cannot upgrade it yet
Regards
06-29-2022 12:05 AM
Hi @Adhiputra ,
Ok. Then that makes sense now - if you go through the APIC you avoid the problem!
So I guess the only answer is to add an ACL on the OOB default gw router - i.e. do the filtering BEFORE traffic gets to ACI.
The OOB EPG is a special EPG in the mgmt tenant, and doesn't have all the features of a normal EPG (no micro-sementation for instance) so I don't see a way of filtering the traffic within ACI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide