Loading...
Loading...
The iptables are only modified on the APICs, iptables for switches allow anywhere. Example defined 9.9.9.9/32 and 10.0.0.0/16: ==APIC iptables== [root@apic1 ~]# iptables -S | grep 22 -A apic-default -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A apic-default -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j REJECT --reject-with tcp-reset -A apic-default-ifm -p tcp -m conntrack --ctstate NEW -m tcp --dport 12215 -j ACCEPT -A apic-default-ifm -p tcp -m conntrack --ctstate NEW -m tcp --dport 12216 -j ACCEPT -A apic-default-ifm -p tcp -m conntrack --ctstate NEW -m tcp --dport 12247 -j ACCEPT -A apic-default-ifm -p tcp -m conntrack --ctstate NEW -m tcp --dport 12248 -j ACCEPT -A apic-default-ifm -p tcp -m conntrack --ctstate NEW -m tcp --dport 12279 -j ACCEPT -A apic-default-ifm -p tcp -m conntrack --ctstate NEW -m tcp --dport 12280 -j ACCEPT -A apic-default-ifm -p tcp -m conntrack --ctstate NEW -m tcp --dport 1022 -j ACCEPT -A fp-28 -s 9.9.9.9/32 -p tcp -m tcp --dport 22 -j ACCEPT -A fp-28 -s 10.0.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT [root@apic1 ~]# iptables --list | grep ssh ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ssh limit: avg 2/sec burst 4 REJECT tcp -- anywhere anywhere ctstate NEW tcp dpt:ssh reject-with tcp-reset ACCEPT tcp -- 9.9.9.9 anywhere tcp dpt:ssh ACCEPT tcp -- 10.0.0.0/16 anywhere tcp dpt:ssh ==Switch iptables== latam-pod2-leaf1# iptables -S | grep 22 -A vrf_2_mrules -p tcp -m class_id --src-class-id 16386 -m tcp --dport 22 -j ACCEPT -A vrf_2_mrules -p tcp -m class_id --src-class-id 49161 -m tcp --dport 22 -j ACCEPT -A vrf_2_mrules -p tcp -m class_id --src-class-id 16386 -m tcp --sport 22 -j ACCEPT -A vrf_2_mrules -p tcp -m class_id --src-class-id 49161 -m tcp --sport 22 -j ACCEPT -A vrf_2_mrules -p tcp -m tcp --dport 22 -j ACCEPT -A vrf_2_mrules -p tcp -m tcp --sport 22 -j ACCEPT latam-pod2-leaf1# iptables --list | grep sshACCEPT tcp -- anywhere anywhere src-class-id 16386 tcp dpt:sshACCEPT tcp -- anywhere anywhere src-class-id 49161 tcp dpt:sshACCEPT tcp -- anywhere anywhere src-class-id 16386 tcp spt:sshACCEPT tcp -- anywhere anywhere src-class-id 49161 tcp spt:sshACCEPT tcp -- anywhere anywhere tcp dpt:sshACCEPT tcp -- anywhere anywhere tcp spt:ssh
Defining specific host/subnet under External Management Network Instance to manage APIC and switches, only takes effect on APICs, the switches can be manage for any no defined subnet.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.