09-29-2020 10:49 AM - edited 09-29-2020 10:49 AM
Greetings Community,
I hope to get some details from the BU who developed Tetration, ACI, and the N9K...
I have a philosophical question based on the ability of accessing switching services of say a Nexus switch (N9K or 93180-YC participating in either ACI or NX-OS mode), being able to overthrow it's smarts and gaining access to the reverse side of the out-of-band network servicing the device's management port and the underlying network behind it.
Data plane
Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.
Management plane
Runs the components meant for Cisco NX-OS device management purposes.
Is it possible to reach the MANAGEMENT PLANE from the DATA PLANE? Is it valid to think that there is a potential attack vector that someone can compromise to source traffic from the front of the device (ASIC) through the PCI bus across the CPU to the across the PCI bus to the Platform Controller Hub through the I/O card to spew out the Management Port onto that out-of-band network?
I appreciate any time you consider/put to answering the question.
Chris
09-30-2020 01:46 AM
Is it possible to reach the MANAGEMENT PLANE from the DATA PLANE?
Yes. This is what we call inband management, whenever you telnet/ssh to a device through inband (through data plane) and configure it from there. Even more, I have seen, unfortunately, situations where customers are connecting the mgmt0 interface of Nexus switches to its own frontports (directly or indirectly through a L2 switch) - here you pretty much overlap the data plane and management plane.
Stay safe,
Sergiu
09-30-2020 06:22 AM
Thank you Sergiu for your input...
I am not trying to circumvent the Out-of-band management of the device from the DATA PLANE - its the reverse, I don't want to provide an attack vector from the DATA PLANE. I am working in a secure environment at different operating levels between the DATA and MANAGEMENT PLANES.
It is not my use case to manage the device from the DATA PLANE. I am not running an SVI/applying to a Mgmt VRF to bind to management of the device nor really run/enable any type of CONTROL PLANE protocols (STP/VTP and I've even disabled CDP in selected use cases).
I consider the DATA PLANE at a lower operating level than the back side MANAGEMENT PLANE and I don't want to be able to come into the DATA PLANE - skip across the N9K architecture to reach the management network servicing the MANAGEMENT PLANE.
I'm looking for evidence on this... I have been watching #CLMEL19 BRKDCT-3640 with Mike Herbert and I'm trying to get a message to him. I think he knows what I am looking for to validate what I think is not possible or correct me to advise that it is possible to attack my management network from the DATA PLANE.
09-30-2020 09:56 AM
To simply this - I am not looking to learn how to access the MANAGEMENT PLANE through the DATA PLANE.
I am looking for how NOT to access the MANAGEMENT PLANE through the DATA PLANE - from across the device's (more specifically the Nexus 9K) architecture.
It would sure be nice to hear from Mike Herbert or Tim Stevenson. I've watched and enjoyed their Live sessions.
In the attachment Grey suggests that the device is operating in a zone of a particular color. I'm trying to validate that anything that happens on the back side is not on that same operating color as the front.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide