NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Disable in-band management on M4300-28G
I want to disable any in-band management possibility on my M4300-28G and leave only OOB management. Currently I'm using the switch as a router and set the management vlan to 999 which is a vlan that...
How can I disable in-band CPU management access? I have Management Source Interface set to Service Port yet I still have in-band access to management.
Also, I don't understand why I can access switch management from every single vlan of the switch with an IP address if I explicitly selected a Managenment VLAN. What's the point of having an in-band management vlan if I can access the switch from every vlan with routing enabled?
Alain_Sanchez wrote:
How can I disable in-band CPU management access?
These are no consumer class devices with simple on-off controls for many reasons.
Alain_Sanchez wrote:
I have Management Source Interface set to Service Port yet I still have in-band access to management.
Well, you have enabled OOB, this does not imply any in-band vectors will be disabled.
Alain_Sanchez wrote:
Also, I don't understand why I can access switch management from every single vlan of the switch with an IP address if I explicitly selected a Managenment VLAN.
A kind of an industry standard on business switches and routers.
Alain_Sanchez wrote:
What's the point of having an in-band management vlan if I can access the switch from every vlan with routing enabled?
In-band and out-of-band is fully concurrent.
Put up access controls for all vectors you want to allow or deny.
HI Alain_Sanchez ,
You should restrict Management Access using Access Control.
https://www.netgear.com/support/product/M4300.aspx#docs
- for instance the Web GUI User Manual https://www.downloads.netgear.com/files/GDC/M4300/M4300_M4300-96X_UM_EN.pdf
starting page 544.
This way, any unapproved origin IP/service will be discarded by the CPU (we call it Management CPU ACL)
I hope it will help you,
Regards,
Laurent Masia
Ok, I'm now filtering access to management services using Management ACLs but I still see some webservice listening on tcp/8443, and I can't find out how to disable it.
Second concern. I changed SSH service to port 2200 and activated my Access Profile, then ran an Nmap scan from Internet and it shows port 22 being explicitly filtered but not the new port SSH is listening (2200). Any suggestion?
Alain_Sanchez wrote:
Ok, I'm now filtering access to management services using Management ACLs but I still see some webservice listening on tcp/8443, and I can't find out how to disable it.
The M4300 series switch does host the REST API service using the https protocol on port 8443 afaik.
Alain_Sanchez wrote:
I changed SSH service to port 2200 and activated my Access Profile, then ran an Nmap scan from Internet and it shows port 22 being explicitly filtered but not the new port SSH is listening (2200). Any suggestion?
Port 22 shows as explicitly filtered because it is eg. remapped internally.
Seriously have ports like 2200/tcp mapped and suspect open to the wild Internet?
Hi Team, if you don't want to see the TCP ports opened any more (Rest API and AV UI) please stop the applications and un-install them. You can re-install them later in the CLI if needed.
User:admin
Password:********
(M4300-28G) >enable(M4300-28G) #show application
OpEN application table contains 3 entries.
Name StartOnBoot AutoRestart CPU Sharing Max Memory Preload Version
---------------- ----------- ----------- ----------- ---------- ------- -------------------
AVUI Yes Yes 0 0 Yes 2.2.3.11
RestAgent Yes Yes 0 0 Yes 2.0.1.32
discAgent Yes Yes 0 0 Yes 1.0.0.3
(M4300-28G) #application stop AVUIApplication stopped.
(M4300-28G) #application stop RestAgent
Application stopped.
(M4300-28G) #config
(M4300-28G) (Config)#no application install AVUI
(M4300-28G) (Config)#no application install RestAgent
(M4300-28G) (Config)#exit
(M4300-28G) #save
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
