× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973

Restrict Management access not working

crankyzz
Aspirant

Restrict Management access not working

Hi all, hoping someone can help.

I have an M4300-8X8F switch which i have configured the management interface to use the OOB service port. my parent company has passed along a security requirement where the management interfaces should only be accesible from a defined source subnet which should be easily done in modern switches.

In this switch I have found settings for Access Profile configuration which has the right options for permit and deny IP address or ranges to specific services such as HTTPS/SSH/etc. I have configured a combination of permit and deny rules with an attempt to get any traffic blocked to a management service however none of the settings seem to have any effect. The profile seems to have settings for enabled/disabled and i have tried with enabled setting set.  

Has anyone got this working and am i doing somethiing wrong??

running latest software 12.0.11.16 but didn't work on old software either. 

 

relevant config from cli. can also screenshot from web interface if needed

 

serviceport protocol none
serviceport ip 10.103.113.10 255.255.255.224 10.103.113.30
vlan database
vlan routing 1 1
exit

 

ip management source-interface serviceport
router rip
exit
router ospf
exit
ipv6 router ospf
exit
!Management ACAL
management access-list "MGMT-RESTRICTIONS"
deny ip-source 10.103.127.188 mask 255.255.255.255 service https priority 2
permit ip-source 10.103.87.192 mask 255.255.255.224 service https priority 5
permit ip-source 10.103.127.188 mask 255.255.255.224 service ssh priority 6
exit
management access-class MGMT-RESTRICTIONS
no bonjour run

 

The deny rule had no effect from 10.103.127.188 access using HTTPS and in the web interface it says packets filtered 0

I also can't seem to find any reference to access profile setup in the documentation.

 

Thanks

Model: XSM4316S|M4300-8X8F - Stackable Managed Switch with 16x10G including 8x10GBASE-T and 8xSFP+ Layer 3
Message 1 of 7

Accepted Solutions
crankyzz
Aspirant

Re: Restrict Management access not working

Best I could work out is the ACLs don't apply to networkng on the OOB service port but it's not mentioned in the documentation. I had to change to use a switchport instead

View solution in original post

Message 3 of 7

All Replies
DaneA
NETGEAR Employee Retired

Re: Restrict Management access not working

@crankyzz,

 

Welcome to the community! 🙂 

 

Kindly check if you have properly applied the ACLs to the corresponding port/s.  For technical assistance, it would be best that you kindly open a support ticket with NETGEAR Support here at anytime. 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 7
crankyzz
Aspirant

Re: Restrict Management access not working

Best I could work out is the ACLs don't apply to networkng on the OOB service port but it's not mentioned in the documentation. I had to change to use a switchport instead

Message 3 of 7
schumaku
Guru

Re: Restrict Management access not working

The OOB (out of band!) should never be connected to the production network. The (expensive) solution is maintaining a dedicated network allowing the management plane to remain accessible during network outages or maintenance - we introduced such designs during the 1980ties for finance and government networks already. The less expensive version is a dedicated management VLAN where OOB, serial console servers et all are connected to - undoubted much less secure.

 

Not aware Netgear does offer the ability to put up ACLs on the OOB interfaces as e.g. NX-OS (add much more $$$) allows. @LaurentMa ?

Message 4 of 7
LaurentMa
NETGEAR Expert

Re: Restrict Management access not working

Hi, there is no ACL on the OOB out-of-band management port. Per design, OOBM (out-of-band management) is meant for a separate management network, traditionally secure because not in the network, not connected to the internet, etc. In that case, In-band management can be shut down using Management ACLs when separate OOBM network.

 

We do provide ACLs on the in-band of course - as you know the Source Management for the switch can be either OOB, or Management VLAN on the in-band, or a specific hardware interface (port) on the in-band too. For the last two, ACLs can be put in place.

 

I hope it helps,

Regards

Message 5 of 7
schumaku
Guru

Re: Restrict Management access not working

@LaurentMa True dedicated OOB band networks are a luxury good CIO can't get adjusted with the CFO and CEO of security sensitive businesses anymore. Rephrasing my question a little bit:

 

Does Netgear consider to offer the ability to put up ACLs on the OOB interfaces as e.g. NX-OS (add much more $$$) allows?

Message 6 of 7
LaurentMa
NETGEAR Expert

Re: Restrict Management access not working

Hi,

I can't say anything else than the following: there is no plan for ACLs on OOB port at this stage.

Regards,

Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 2192 views
  • 0 kudos
  • 4 in conversation
Announcements