Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1818
Views
2
Helpful
3
Replies

Block access to Object Store on ACI leaf/spine switches

Go to solution
i.va
Level 3
Level 3

‎02-23-2023 01:51 AM

We are running ACI 5.2(6e). The Object Store on ACI leaf/spine switches can be accessed via HTTP and HTTPS by default. The Object Store is protected via login form, but we need to disable access completely i.e. stop the switches from listening on HTTP/HTTPS over the out-of-band management network. On IOS devices one would usually disable http/https services, however I did not manage to find out how to do this on ACI leaf/spine switches, or if it is even possible. Can anybody point me in the right direction? Thanks in advance.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RedNectar
VIP
VIP

‎03-08-2023 05:51 PM

Hi @i.va ,

I've had a few goes at trying to solve this, but haven't had any luck.  I had hoped that going down the path of setting up Configuration Zones might help, but the documentation on this is sketchy, and it seems to only apply to firmware upgrades.

I think if you want to restrict HTTP/HTTPS access to the OOB network you'll have to make sure anyone accessing that network does so via a router/firewall, then use good-old ACLs to restrict the access to the IPs of the ACI Leaf/spine switches.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

3 Replies 3

Go to solution
RedNectar
VIP
VIP

‎03-08-2023 05:51 PM

Hi @i.va ,

I've had a few goes at trying to solve this, but haven't had any luck.  I had hoped that going down the path of setting up Configuration Zones might help, but the documentation on this is sketchy, and it seems to only apply to firmware upgrades.

I think if you want to restrict HTTP/HTTPS access to the OOB network you'll have to make sure anyone accessing that network does so via a router/firewall, then use good-old ACLs to restrict the access to the IPs of the ACI Leaf/spine switches.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Go to solution
i.va
Level 3
Level 3

‎03-08-2023 10:33 PM

Hey...thanks for your input...there is hardly any information on this, so I ended up blocking this via firewall. Hopefully we will have some more options for hardening in future releases.

Go to solution
YanL
Level 1
Level 1

‎10-19-2023 09:55 PM

we never use the Object Store on ACI leaf/spine switches so it would be wise not to expose it if possible. Cisco needs to fix this.

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License