Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9422
Views
5
Helpful
6
Replies

How to disable IP forwarding in management VRF?

Mister Cartwright
Beginner
Beginner

‎10-08-2015 12:18 PM - edited ‎03-08-2019 02:07 AM

Nessus scans shows that my switches are performing IP forwarding. Switches are IOS (4948E) and NXOS (9300). All of them are using the management or mgmtVRF VRFs for their management connections, and it's this IP that is forwarding. If I point one switch to another switch's mgmt IP I can confirm it is in fact forwarding (routing).

How can I disable IP forwarding / routing on both IOS and Cisco NX-OS devices for the management VRF?

3 people had this problem
Labels:
0 Helpful
6 Replies 6

Reza Sharifi
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

‎10-08-2015 01:29 PM

You can disable it by not using a default route on the management VRF, but if you do that than the switches will not be reachable from other subnets.

HTH

0 Helpful

Ganesh Hariharan
Advisor
Advisor

‎10-09-2015 09:34 PM 

Nessus scans shows that my switches are performing IP forwarding. Switches are IOS (4948E) and NXOS (9300). All of them are using the management or mgmtVRF VRFs for their management connections, and it's this IP that is forwarding. If I point one switch to another switch's mgmt IP I can confirm it is in fact forwarding (routing).

How can I disable IP forwarding / routing on both IOS and Cisco NX-OS devices for the management VRF?

Hi,

But is that a real issue that ip forwarding is happening , As switches are having latest features in current iOS for security purposes.

If it all it is required either you can do as per suggestion by Reza with risk involved or do scanning on some other LAN data interface to avoid doing scanning on Mgmt. interface.

Hope it Helps..

-GI

Rate if it Helps

0 Helpful

Peter Koltl
Rising star
Rising star
In response to Ganesh Hariharan

‎11-07-2015 05:39 AM

Why is it a problem if they perform routing? A packet is routed only if another device has a next hop pointing to this switch's OOB port which is unlikely. Proxy ARP is the other potential cause but it should be disabled.

https://ltlnetworker.wordpress.com/2015/08/16/management-network-topology-and-asymmetric-routing/

0 Helpful

eclinton
Beginner
Beginner

‎04-15-2016 11:28 AM

Hi Mister Cartwright,

Did you find a way to disable ip forwarding on the 3172?  I have the same issue from a scan.

Thanks.

0 Helpful

Mister Cartwright
Beginner
Beginner
In response to eclinton

‎04-15-2016 11:36 PM

No I never found a way, but I never looked after my initial post. I filed a report with security explaining why it ultimately was not a security concern for us.

All management interfaces for our network devices are using dedicated VRFs which connect to a dedicated firewall security zone. So even if someone re-configured a certain device to use another as it's gateway, it would still be subject to firewall rules upstream.

eclinton
Beginner
Beginner
In response to Mister Cartwright

‎04-18-2016 06:48 AM

Hi Mister Cartwright,

Thanks for your reply, I will update this thread if and when I get an answer to this.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents