Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 8
Registered: ‎07-02-2012

ICX6450 managment port security with router image.

I am going to be using a 12 port 6450 as a stub router for our Metro-E internet hand off from Comcast. My plan was to isolate all the configuration and SMNP traffic to the OOB management port, but with the router image, it appears that the switch just treats that port like any other port. In fact, duing basic testing it was happy to route traffic from a public address configured on a vlan VE to and through the management port.

 

As it is treating it as a standard port, I can't add a default gateway for the management port for my dedicated OOB lan. Am I missing something here? Do I need to skip using the mgmt port and just assign another vlan and isolate that for management?

 

Miles

Occasional Contributor
Posts: 8
Registered: ‎07-02-2012

Re: ICX6450 managment port security with router image.

I think the below config should do it for most IPv4 networks. The access list to block leaking reserved addresses in and out will also act to secure the manangement port if it is on a private address. This was buit with some help from the FastIron Security Guide. I'd love to hear any suguestions if anyone sees anything dumb.

 

ver 08.0.20bT313
!
stack unit 1
module 1 icx6450c-12pd-port-management-module
module 2 icx6450c-copper-2port-2g-module
module 3 icx6450c-fiber-2port-2g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 2 name "Route to Comcast" by port
untagged ethe 1/1/1 to 1/1/2
router-interface ve 2
!
vlan 3 name "Route to Assigned Netblock" by port
untagged ethe 1/1/3 to 1/1/12
router-interface ve 3
!
!
!
!
!
aaa authentication web-server default local
aaa authentication login default local
enable super-user-password XXXXXXXXXXX
enable acl-per-port-per-vlan
enable egress-acl-on-cpu-traffic
hostname us-alph-border
ip dns domain-list XXXXX
ip dns server-address **filtered**.**filtered**.**filtered**.**filtered**
ip route 192.168.24.0/24 192.168.24.13
ip icmp burst-normal 5000 burst-max 10000 lockup 300
!
no telnet server
username XXXXX password XXXXX
snmp-server community 2 XXXXXXXX ro 10
snmp-server contact XXXXX
snmp-server location XXXXX
!
!
clock summer-time
clock timezone gmt GMT-05
web access-group 10
web-management https
banner motd ^C
Warning Notification!!!^C
This system is to be used by authorized users only for the purpose of^C
conducting official company work. Any activities conducted on this system may^C
be monitored and/or recorded and there is no expectation of privacy while^C
using this system. All possible abuse and criminal activity may be handed^C
over to the proper law enforcement officials for investigation and^C
prosecution. Use of this system implies consent to all of the conditions^C
stated within this Warning Notification. ^C
!
ssh access-group 10
!
!
!
interface management 1
ip address 192.168.24.2 255.255.255.0
!
interface ve 2
ip access-group 100 in
ip access-group 100 out
ip address **filtered**.**filtered**.**filtered**.**filtered** 255.255.255.252
ip icmp burst-normal 5000 burst-max 10000 lockup 300
!
interface ve 3
ip access-group 100 in
ip access-group 100 out
ip address **filtered**.**filtered**.**filtered**.**filtered**  255.255.255.192
ip icmp burst-normal 5000 burst-max 10000 lockup 300
!
!
!
access-list 10 remark Access List 10 Allows management access from internal networks
access-list 10 permit 192.168.0.0 0.0.255.255
!
access-list 100 remark Access List 100 blocks Private and Reserved IP Space this also prevents access to management interface with router image when using 192.168.0.0/24 addresses
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 100.64.0.0 0.63.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.0.0 0.0.0.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 198.18.0.0 0.1.255.255 any
access-list 100 deny ip 198.51.100.0 0.0.0.255 any
access-list 100 deny ip 203.0.113.0 0.0.0.255 any
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
access-list 100 permit ip any any
!
!
!
!
!
ip ssh authentication-retries 5
ip ssh timeout 60
ip ssh idle-time 15
ip ssh key-authentication no
!
!
end

Contributor
Posts: 28
Registered: ‎07-25-2013

Re: ICX6450 managment port security with router image.

you can try adding vrf onto the management port. that'll definitely keep it from the default routing table

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook