Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
5
Helpful
3
Replies

Block SSH traffic from outside to leaf and spine

Go to solution
Adhiputra
Level 1
Level 1

‎06-28-2022 12:14 PM

Hello

 

We have configured oob address for our apic and leaf+spine,

Is there a way to block ssh traffic from outside to leaf and spine while connection to apic is still allowed?

 

Regards

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RedNectar
VIP
VIP
In response to Adhiputra

‎06-29-2022 12:05 AM

Hi @Adhiputra ,

Ok. Then that makes sense now - if you go through the APIC you avoid the problem!

So I guess the only answer is to add an ACL on the OOB default gw router - i.e. do the filtering BEFORE traffic gets to ACI.

The OOB EPG is a special EPG in the mgmt tenant, and doesn't have all the features of a normal EPG (no micro-sementation for instance) so I don't see a way of filtering the traffic within ACI

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

3 Replies 3

Go to solution
RedNectar
VIP
VIP

‎06-28-2022 03:22 PM

Hi @Adhiputra ,

I fail to see the point of blocking ssh traffic from outside to Leaf/Spine while leaving access to the APIC, because you will NEVER be able to stop someone from:

  1. ssh to APIC
  2. ssh form APIC to Leaf/Spine

IF you succeed in your design, you are just forcing one more step to get the ssh session to the Leaf/Spine, NOT preventing all access

So my advice is: Don't even try to stop ssh traffic to OOB Leaf/Spine addresses.

I hope this helps.

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Go to solution
Adhiputra
Level 1
Level 1
In response to RedNectar

‎06-28-2022 09:52 PM

Hello Chris

 

Thanks for replying

The reason for this is because we found that, on ACI version that we are using, ssh hmac-sha1 cannot be disabled on SPINE and LEAF , even tough we have removed it on fabric policy
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu80658

 

because it doesn't comply with our client security policies 

I was thinking to block or disable ssh as a temporary workaround as we cannot upgrade it yet

 

Regards

 

0 Helpful

Go to solution
RedNectar
VIP
VIP
In response to Adhiputra

‎06-29-2022 12:05 AM

Hi @Adhiputra ,

Ok. Then that makes sense now - if you go through the APIC you avoid the problem!

So I guess the only answer is to add an ACL on the OOB default gw router - i.e. do the filtering BEFORE traffic gets to ACI.

The OOB EPG is a special EPG in the mgmt tenant, and doesn't have all the features of a normal EPG (no micro-sementation for instance) so I don't see a way of filtering the traffic within ACI

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License