cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

344
Views
0
Helpful
4
Replies

Security Vulnerability on Nexus 3172 Can't disable NETCONF TCP port 830.

Hi,

i am trying to disable port tcp 830 ssh server on cisco Nexus 3172  currently My  NXOS: version 7.0(3)I5(1) and i am trying with ACL it did't work and i think NETCONF on nexus3172 is enable by default ?

 

show sockets connection

Active connections (including servers) Protocol State/ Recv-Q/ Local Address(port)/

Context Send-Q Remote Address(port)

[host]: tcp(4/6) LISTEN 0 *(830)

                        Wildcard 0 *(*)


telnet x.x.x.x 830 will be return as below. 
SSH-2.0-OpenSSH_6.2 PKIX FIPS
Protocol mismatch.


Can someone please help with this issue??? how to disable it ?

Thanks in advance.

 

MJ.

Everyone's tags (4)
4 REPLIES 4
VIP Advisor

Re: Security Vulnerability on Nexus 3172 Can't disable NETCONF TCP port 830.

Hello,

 

 As you are trying to block something on the Control Plane, simple ACL will be not efective.

 Try to use this: Default CoPP Policy

 

Here you can find detailed information about the configuration:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/7x/b_Cisco_n3k_Security_Config_7x/b_Cisco_n3k_Security_Config_7x_chapter_01011.html

 

-If I helped you somehow, please, rate it as useful.-

VIP Mentor

Re: Security Vulnerability on Nexus 3172 Can't disable NETCONF TCP port 830.

Hello,

 

on a side note, and in addition to Flavio's post, are you referring to the access list that is proposed as a workaround for bug CSCvc44478 ?

 

ip access-list MGMT
statistics per-entry
10 permit tcp any any eq 22
20 deny ip any any

 

interface mgmt0
ip access-group MGMT in

Highlighted

Re: Security Vulnerability on Nexus 3172 Can't disable NETCONF TCP port 830.

Hi Georg,

i have already do as below
but can't block tcp port 830

sh ip access-lists acl_internet_in

IP access list acl_internet_in
statistics per-entry
10 deny tcp any ip/32 eq 830 [match=12]
11 deny tcp ip/32 eq 830 any [match=0]
10000 permit ip any any [match=7327536]

Re: Security Vulnerability on Nexus 3172 Can't disable NETCONF TCP port 830.

Hi Georg,

i have already do as below
but can't block tcp port 830

sh ip access-lists acl_internet_in

IP access list acl_internet_in
statistics per-entry 
10 deny tcp any ip/32 eq 830 [match=12] 
11 deny tcp ip/32 eq 830 any [match=0] 
10000 permit ip any any [match=7327536]

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards