04-03-2009 03:09 PM
Could anyone comment on whether the capability exists to configure an ACL that protects management access, restricting access to certain source subnets? I want to use inband mgmt access (interface vlan feature)but limit the access by IP. ACLs seem to be only configurable on a per port basis or VLAN mapped basis, not on the VLAN Interface or Line VTY. Thanks in advance to anyone who offers a comment!
04-09-2009 12:18 PM
WLCs have a âsession levelâ access control for management protocols. It is important to understand how they work in order to prevent incorrect assessment on what is allowed or not allowed by the controller.
The commands to restrict what management protocols are allowed are (on a global scope)
for more information please follow up on this link:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a7c988.shtml#t3
04-09-2009 02:31 PM
Thanks for taking the time for the above post. However my question has to do with the Nexus 5020 switch not the wireless controllers.
05-01-2009 11:41 AM
I understand what you're seeing, and I don't have a solution for you. I will explain what workarounds I enncoutered on the 7K series, though.
The 7K comes stock with a relatively lengthy "Control-Plane Policing" series of ACLs. This is written to rate limit various types of traffic destined to the control plane, in an effort to keep the box up even during a DoS.
However, it's not possible to write an ACL surrounding the VTY or SNMP strings any more. As a result, you're now forced to use the CoPP as a way to protect the in-band network management protocols. I wrote a class map to permit traffic from my management network, and drop it from everything else- and then I applied that to the control plane.
In addition, I created a new ACL and wrapped it around my Mgmt0, allowing only certain protocols, addresses, etc etc.
The point being: NX-OS has scrapped the concept of ACLs on the VTYs, and replaced it with a different mechanism. I can see how this feature set shaped NX-OS, but this doesn't apply as such to the 5K, so it doesn't fit quite right. (and is unavailable.)
As such, I plan on just using the mgmt0 port (with an ACL around it) and not putting IP addresses on the VLANs of the 5k. (it doesn't buy you much, since it's a L2 device anyways.) Note that the mgmt VLAN is a totally separate vrf, so you can really plug one of the VLANs that's flowing through the box anyways- you just need a separate cat 5 run to make this happen.
05-01-2009 01:56 PM
Thanks Nate for taking the time to reply!
I appreciate your comments confirming that the method for protecting mgmt access to the box has changed. We'll have to rethink how we're going to do that.
Thanks again.
Simon
07-07-2009 06:42 AM
MGMT0 ACLs are actually not available at this time either, but will be available by the second 4.1(3) release.
Please watch CSCsq20638 for more details on VTY ACLs.
10-08-2009 10:01 AM
You can probably do this with a VACL. It would look something like the following:
ip access-list ALLOW-MGT
5 deny icmp 1.1.1.1/32 any
6 deny tcp 2.2.2.2/32 gt 1023 any eq 22
30 permit ip any any
vlan access-map ALLOW-MGT
match ip address ALLOW-MGT
action forward
statistics
vlan filter ALLOW-MGT vlan-list 101
03-07-2010 05:05 PM
I have not found any other alternative so far. Dealing with Nexus 5010 running release 4.1(3)N2(1a).
06-29-2010 09:27 AM
has anyone found a solution in the new 4.2. code?
07-27-2010 02:23 PM
VACL is what I'm using currently. That's all I've found out.
07-27-2010 03:20 PM
Hi Adam,
[edit] This is fixed in 4.1(3)N2(1) with defect CSCta26533. It is also available in 4.2(1)N1(1). I just tested this to verify, I was confused earlier as to what version my switches were running.
Here's an exmaple in 4.2(1)N1(1):
Nexus5010(config)# conf t
Nexus5010(config)# ip access-list someACL
Nexus5010(config-acl)# deny ip 192.168.0.0/16 any
Nexus5010(config-acl)# permit ip any any
Nexus5010(config-acl)# int mgmt0
Nexus5010(config-if)# ip access-group someACL in
Nexus5010(config-if)# exit
Nexus5010# sh ip access-lists summary
IPV4 ACL someACL
Total ACEs Configured: 2
Configured on interfaces:
mgmt0 - ingress (Router ACL)
Active on interfaces:
mgmt0 - ingress (Router ACL)
Also, CSCsq20638 will allow you to put an ACL on VTY lines. CSCsq20638 slipped the target release since my first answer, but is now committed to the 5.0 train for the Nexus 7000.
When the Nexus 5000 picks up this enhancement sometime in Q4 of 2010. I can't be specific about a release date since it's under active development, but it should be called 5.0(2)N1(1)
Regarding a VACL, that will work for inband management (SVI / VLAN interface), but not for those managing via MGMT0.
Regards,
John Gill
Message was edited by: johgill
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide