Security protocols prevent BMCMgmt and SwitchMgmt networks from accessing any port other than UDP 123 on the specified IP address.
The following access control lists must be modified for this change:- Rack01-BMCMgmt_IN
- Rack01-BMCMgmt_OUT
- Rack01-SwitchMgmt_IN
- Rack01-SwitchMgmt_OUT
To identify the rules that must be updated, perform the following procedure:
copy running-configuration config://pre-ntp-change.conf
show running-configuration access-list
Each list starts with a section heading such as ip access-list <list name>. For the BMCMgmt_IN and BMCMgmt_OUT lists, this should be remark sequence 560
with rule sequence 570
. The remark sequence describes the rule sequence that is being entered. See the following example:
Take note of the BMCMgmt network with the /26 subnet designation along with the existing NTP server IP address with the /32 subnet designation.
To modify the Rack01-BMCMgmt_IN access control list, run the following commands updating the values for <BMCMgmt_Network/26>
and <NTP_Server_IP/32>
:
conf t
ip access-list Rack01-BMCMgmt_IN
no seq 560
no seq 570
seq 560 remark “Permit UDP R01-Bmc (<BMCMgmt_Network/26>_TO_ntp port 123 (<NTP_Server_IP/32>)”
seq 570 permit udp <BMCMgmt_Network/26> <NTP_Server_IP/32> eq 123 count
end
To modify the Rack01-BMCMgmt_OUT access control list, run the following commands updating the values for <BMCMgmt_Network/26>
and <NTP_Server_IP/32>
:
conf t
ip access-list Rack01-BMCMgmt_OUT
no seq 560
no seq 570
seq 560 remark "Permit ntp port 123 <NTP_Server_IP/32> (32/UDP)_TO_R01-bmc (<BMCMgmt_Network/26>)"
seq 570 permit udp <NTP_Server_IP/32> eq 123 <BMCMgmt_Network/26> count
end
For the SwitchMgmt_IN list, the sequences to look for are remark sequence 600
with rule sequence 610
. The remark sequence describes the rule sequence that is being entered. See the following example:
Take note of the SwitchMgmt network with the /29 subnet designation along with the existing NTP server IP address with the /32 subnet designation.
To modify the Rack01-SwitchMgmt_IN access control list, run the following commands updating the values for <SwitchMgmt_Network/29>
and <NTP_Server_IP/32>
:
conf t
ip access-list Rack01-SwitchMgmt_IN
no seq 600
no seq 610
seq 600 remark "Permit R01-SwitchMgmt (<SwitchMgmt_Network/29>)_TO_ntp (<NTP_Server_IP/32>)"
seq 610 permit udp <SwitchMgmt_Network/29> <NTP_Server_IP/32> eq 123 count
end
To modify the Rack01-SwitchMgmt_OUT access control list, run the following commands updating the values for <SwitchMgmt_Network/29>
and <NTP_Server_IP/32>
.
conf t
ip access-list Rack01-SwitchMgmt_OUT
no seq 580
no seq 590
seq 580 remark "Permit ntp (<NTP_Server_IP/32>)_TO_R01-SwitchMgmt (<SwitchMgmt_Network/29>)"
seq 590 permit udp <NTP_Server_IP/32> eq 123 <SwitchMgmt_Network/29> count
end
Once the changes have been made and verified to be correct, the running configuration can be saved to the startup configuration:
copy running-configuration startup-configuration