Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10793
Views
5
Helpful
6
Replies

How to disable IP forwarding in management VRF?

Mister Cartwright
Level 1
Level 1

‎10-08-2015 12:18 PM - edited ‎03-08-2019 02:07 AM

Nessus scans shows that my switches are performing IP forwarding. Switches are IOS (4948E) and NXOS (9300). All of them are using the management or mgmtVRF VRFs for their management connections, and it's this IP that is forwarding. If I point one switch to another switch's mgmt IP I can confirm it is in fact forwarding (routing).

How can I disable IP forwarding / routing on both IOS and Cisco NX-OS devices for the management VRF?

3 people had this problem
Labels:
0 Helpful
6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

‎10-08-2015 01:29 PM

You can disable it by not using a default route on the management VRF, but if you do that than the switches will not be reachable from other subnets.

HTH

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎10-09-2015 09:34 PM 

Nessus scans shows that my switches are performing IP forwarding. Switches are IOS (4948E) and NXOS (9300). All of them are using the management or mgmtVRF VRFs for their management connections, and it's this IP that is forwarding. If I point one switch to another switch's mgmt IP I can confirm it is in fact forwarding (routing).

How can I disable IP forwarding / routing on both IOS and Cisco NX-OS devices for the management VRF?

Hi,

But is that a real issue that ip forwarding is happening , As switches are having latest features in current iOS for security purposes.

If it all it is required either you can do as per suggestion by Reza with risk involved or do scanning on some other LAN data interface to avoid doing scanning on Mgmt. interface.

Hope it Helps..

-GI

Rate if it Helps

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Ganesh Hariharan

‎11-07-2015 05:39 AM

Why is it a problem if they perform routing? A packet is routed only if another device has a next hop pointing to this switch's OOB port which is unlikely. Proxy ARP is the other potential cause but it should be disabled.

https://ltlnetworker.wordpress.com/2015/08/16/management-network-topology-and-asymmetric-routing/

0 Helpful

eclinton
Level 1
Level 1

‎04-15-2016 11:28 AM

Hi Mister Cartwright,

Did you find a way to disable ip forwarding on the 3172?  I have the same issue from a scan.

Thanks.

0 Helpful

Mister Cartwright
Level 1
Level 1
In response to eclinton

‎04-15-2016 11:36 PM

No I never found a way, but I never looked after my initial post. I filed a report with security explaining why it ultimately was not a security concern for us.

All management interfaces for our network devices are using dedicated VRFs which connect to a dedicated firewall security zone. So even if someone re-configured a certain device to use another as it's gateway, it would still be subject to firewall rules upstream.

eclinton
Level 1
Level 1
In response to Mister Cartwright

‎04-18-2016 06:48 AM

Hi Mister Cartwright,

Thanks for your reply, I will update this thread if and when I get an answer to this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card