NX7K Mgmt Interface Security

zekebashi · ‎04-05-2017

Hello,

We ran a vulnerability test against the mgmt interface on the NX7K and the results came back showing that a number of services, such as SSH, DHCPs, NTP, BGP, and SNMP that are open. Are these services/ports listening to these services by default?

Thanks in advance.

Best, ~zK

Collin Clark · ‎04-21-2017

Typically no, but it also depends on what Supervisor you are running. Some include a CoPP policy and some have a CMP. I assume your testing against the admin VDC?

zekebashi · ‎04-25-2017

We have dual N7K-SUP2. We don't have CoPP enabled/configured. I am planning on implementing iACLs on the ingress interfaces that connect the VDC to our ISP. Are there any other suggestions to disable/deny ssh and other services to access the mgmt interface?

Thanks, ~zK

Collin Clark · ‎04-25-2017

The easiest way is to disable the service(s).

no feature [ssh,telnet,etc]

zekebashi · ‎04-25-2017

How would one ssh into the vdc/switch if the ssh feature is disabled?

Collin Clark · ‎04-26-2017

The way I set them up is to only enable services on the Admin VDC and from there I can jump to the other VDC's.