NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Disable in-band management on M4300-28G
I want to disable any in-band management possibility on my M4300-28G and leave only OOB management. Currently I'm using the switch as a router and set the management vlan to 999 which is a vlan that...
This is the intended default behavior for the in-band management..
The in-band CPU management access can be disabled, limiting the access to the the switch CPU for GUI, telnet etc. via the OOB service port if you have a separate management network. Further on you can deploy Management ACLs for protecting inband access (for instance, restricting HTTP GUI access to certain IP addresses or subnets, restricting Telnet to certain other IP addresses, etc.).
How can I disable in-band CPU management access? I have Management Source Interface set to Service Port yet I still have in-band access to management.
Also, I don't understand why I can access switch management from every single vlan of the switch with an IP address if I explicitly selected a Managenment VLAN. What's the point of having an in-band management vlan if I can access the switch from every vlan with routing enabled?
Alain_Sanchez wrote:
How can I disable in-band CPU management access?
These are no consumer class devices with simple on-off controls for many reasons.
Alain_Sanchez wrote:
I have Management Source Interface set to Service Port yet I still have in-band access to management.
Well, you have enabled OOB, this does not imply any in-band vectors will be disabled.
Alain_Sanchez wrote:
Also, I don't understand why I can access switch management from every single vlan of the switch with an IP address if I explicitly selected a Managenment VLAN.
A kind of an industry standard on business switches and routers.
Alain_Sanchez wrote:
What's the point of having an in-band management vlan if I can access the switch from every vlan with routing enabled?
In-band and out-of-band is fully concurrent.
Put up access controls for all vectors you want to allow or deny.
HI Alain_Sanchez ,
You should restrict Management Access using Access Control.
https://www.netgear.com/support/product/M4300.aspx#docs
- for instance the Web GUI User Manual https://www.downloads.netgear.com/files/GDC/M4300/M4300_M4300-96X_UM_EN.pdf
starting page 544.
This way, any unapproved origin IP/service will be discarded by the CPU (we call it Management CPU ACL)
I hope it will help you,
Regards,
Laurent Masia
Ok, I'm now filtering access to management services using Management ACLs but I still see some webservice listening on tcp/8443, and I can't find out how to disable it.
Second concern. I changed SSH service to port 2200 and activated my Access Profile, then ran an Nmap scan from Internet and it shows port 22 being explicitly filtered but not the new port SSH is listening (2200). Any suggestion?
Alain_Sanchez wrote:
Ok, I'm now filtering access to management services using Management ACLs but I still see some webservice listening on tcp/8443, and I can't find out how to disable it.
The M4300 series switch does host the REST API service using the https protocol on port 8443 afaik.
Alain_Sanchez wrote:
I changed SSH service to port 2200 and activated my Access Profile, then ran an Nmap scan from Internet and it shows port 22 being explicitly filtered but not the new port SSH is listening (2200). Any suggestion?
Port 22 shows as explicitly filtered because it is eg. remapped internally.
Seriously have ports like 2200/tcp mapped and suspect open to the wild Internet?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
