- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: Restrict Management access not working
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, hoping someone can help.
I have an M4300-8X8F switch which i have configured the management interface to use the OOB service port. my parent company has passed along a security requirement where the management interfaces should only be accesible from a defined source subnet which should be easily done in modern switches.
In this switch I have found settings for Access Profile configuration which has the right options for permit and deny IP address or ranges to specific services such as HTTPS/SSH/etc. I have configured a combination of permit and deny rules with an attempt to get any traffic blocked to a management service however none of the settings seem to have any effect. The profile seems to have settings for enabled/disabled and i have tried with enabled setting set.
Has anyone got this working and am i doing somethiing wrong??
running latest software 12.0.11.16 but didn't work on old software either.
relevant config from cli. can also screenshot from web interface if needed
serviceport protocol none
serviceport ip 10.103.113.10 255.255.255.224 10.103.113.30
vlan database
vlan routing 1 1
exit
ip management source-interface serviceport
router rip
exit
router ospf
exit
ipv6 router ospf
exit
!Management ACAL
management access-list "MGMT-RESTRICTIONS"
deny ip-source 10.103.127.188 mask 255.255.255.255 service https priority 2
permit ip-source 10.103.87.192 mask 255.255.255.224 service https priority 5
permit ip-source 10.103.127.188 mask 255.255.255.224 service ssh priority 6
exit
management access-class MGMT-RESTRICTIONS
no bonjour run
The deny rule had no effect from 10.103.127.188 access using HTTPS and in the web interface it says packets filtered 0
I also can't seem to find any reference to access profile setup in the documentation.
Thanks
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best I could work out is the ACLs don't apply to networkng on the OOB service port but it's not mentioned in the documentation. I had to change to use a switchport instead
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best I could work out is the ACLs don't apply to networkng on the OOB service port but it's not mentioned in the documentation. I had to change to use a switchport instead
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Restrict Management access not working
The OOB (out of band!) should never be connected to the production network. The (expensive) solution is maintaining a dedicated network allowing the management plane to remain accessible during network outages or maintenance - we introduced such designs during the 1980ties for finance and government networks already. The less expensive version is a dedicated management VLAN where OOB, serial console servers et all are connected to - undoubted much less secure.
Not aware Netgear does offer the ability to put up ACLs on the OOB interfaces as e.g. NX-OS (add much more $$$) allows. @LaurentMa ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Restrict Management access not working
Hi, there is no ACL on the OOB out-of-band management port. Per design, OOBM (out-of-band management) is meant for a separate management network, traditionally secure because not in the network, not connected to the internet, etc. In that case, In-band management can be shut down using Management ACLs when separate OOBM network.
We do provide ACLs on the in-band of course - as you know the Source Management for the switch can be either OOB, or Management VLAN on the in-band, or a specific hardware interface (port) on the in-band too. For the last two, ACLs can be put in place.
I hope it helps,
Regards
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Restrict Management access not working
@LaurentMa True dedicated OOB band networks are a luxury good CIO can't get adjusted with the CFO and CEO of security sensitive businesses anymore. Rephrasing my question a little bit:
Does Netgear consider to offer the ability to put up ACLs on the OOB interfaces as e.g. NX-OS (add much more $$$) allows?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Restrict Management access not working
Hi,
I can't say anything else than the following: there is no plan for ACLs on OOB port at this stage.
Regards,