Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
0
Helpful
4
Replies

Nexus 3000 Security Hardening

Lyphiard
Level 1
Level 1

‎11-25-2018 06:43 PM - edited ‎03-08-2019 04:40 PM

I have several Nexus 3000-series switches acting as TOR switches, each having multiple SVI's that act as default gateways for clients. The VLANs reside purely on the switch and do not trunk anywhere else -- the switch routes the packets to an aggregation router from the SVI's.

 

My issue is that each SVI IP address is now a method of accessing the switch. For example, I could SSH into any L3 IP address on the switch (and I couldn't find a way to restrict this). Additionally, services such as NXApi, SNMP, HTTP, and BGP are all open on all of these IP addresses.

 

I've created an access-list with several network object-groups in an attempt to restrict access to these services, but it seems like traffic destined towards the management plane do not honor these ACL's.

 

 

object-group ip address ipv4-system
  10 host 1.1.1.1
  20 host 2.2.2.2

object-group ip address ipv4-nxapi
  10 host 1.1.1.5
  20 host 3.3.3.3


ip access-list ipv4-system-ingress
  10 remark NXApi
  20 permit tcp addrgroup ipv4-nxapi 1.1.1.1/32 eq 8083
  30 deny tcp any addrgroup ipv4-system eq 8083
  50 remark HTTP
  60 deny tcp any addrgroup ipv4-system eq www


interface Vlan10
  no shutdown
  ip address 1.1.1.1/24
  ip access-group ipv4-system-ingress in

interface Vlan20
  no shutdown
  ip address 2.2.2.2/24
  ip access-group ipv4-system-ingress in

 

For example, if I'm a host on VLAN 10 with IP address 1.1.1.2, I'm able to access the switch's NXApi server despite sequence 30 in the ACL.

 

However, if I put some external IP (not on the switch's management plane) in the ipv4-system object-group, the ACL works as expected and access is restricted from non-authorized hosts.

0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎11-25-2018 07:36 PM

you will need to apply the ACL to the "line vty" an refer to the ACL using "access class <name> in"

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Lyphiard
Level 1
Level 1
In response to Dennis Mink

‎11-25-2018 08:03 PM

That seemed to solve the issue with SSH ACL's, however, it still does not control access to other services hosted on the switch such as NXApi, the HTTP server, BGP, etc.
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to Lyphiard

‎11-25-2018 08:37 PM

I am not sure if Nexus ACL have an implicit deny any any on the end, so can you put the deny any any on the end of an ACL that you can use for testing?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Lyphiard
Level 1
Level 1
In response to Dennis Mink

‎11-25-2018 08:52 PM

They do have an implicit deny at the end of them, although I'm not sure how that would apply to my specific situation?

 

The only thing I can seem to come up with at this point is using a modified CoPP service policy with police pps set to zero, although that comes with its own issues and limitations.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card