Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature

Cisco Nexus devices support an automatic provisioning or zero-touch deployment feature called PowerOn Auto Provisioning (POAP). This feature assists in automating the initial deployment and configuration of Nexus switches. POAP is enabled by default and activates on devices that have no startup configuration or when Perpetual POAP has been configured using the boot poap enable command.

As with other automatic provisioning technologies, such as Cisco Zero-Touch Provisioning or Cisco Smart Install, some basic assumptions are made about the initial deployment environment. First, that administrators know that the feature exists and is enabled by default. Second, that the Layer 2 (L2) network on which a device initially connects is secure.

By design, the POAP feature leverages several unauthenticated protocols to obtain the initial configuration file for a device. When a device with POAP boots and subsequently fails to locate a startup configuration, such as on the first startup after unboxing or after a restoration of factory defaults, the device enters POAP mode. The device will attempt to locate a DHCP server through a connected management interface1. Then the switch will listen for a DHCP response that includes at a minimum the following:

  • An IP address
  • A default gateway
  • Option 66 (TFTP server name) or Option 150 (TFTP server address)
  • Option 67 (boot file name)

If the Nexus device receives multiple DHCP responses that meet these requirements, the first DHCP response received will be accepted, and POAP will move to the next stage of the device configuration. If no DHCP responses that meet these requirements are received prior to the timeout period, the device will exit POAP mode.

If a DHCP response is accepted, the Nexus device will attempt to connect to the provided TFTP server to retrieve the Python or Tool Command Language (Tcl) POAP configuration script specified within the boot file option. The switch will then execute the script to retrieve the specified software and device configuration. The Nexus device software and configuration may be retrieved using Secure Copy Protocol (SCP), FTP, or SFTP. The downloaded Nexus software will be assigned as the active image, with the configuration file scheduled to be applied when the device restarts.

Several steps in the POAP configuration process rely on a secure network segment to obtain critical startup information. While the POAP feature disables itself after a configurationis applied to a device2, it is critical that customers properly secure the networks in which POAP may be utilized. Some customers may want to disable the POAP feature and use other methods to configure a Nexus device out of the box. To this end, Cisco has added multiple new commands to disable POAP that will persist across a reset to factory defaults and the removal of a configuration. For guidelines on securing a POAP environment, as well as information about disabling the feature, see the Details and Recommendations sections.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-info-poap

1On some Nexus chassis-based devices, the DHCP solicitation may also be sent using all front-panel Ethernet interfaces of the installed router processor.

2The POAP feature will not be disabled if Perpetual POAP has been configured using the boot poap enable command and will run on each reload of the device.

Security Impact Rating: Informational

Related:

  • No Related Posts

Can't edit App layer, boot error 0xC000000F; but OS and Platform Layers work OK

First, verify this is not https://support.citrix.com/article/CTX238440 . The error message is normally different, but that’s the most likely cause: language issues.

Second, Add Version to your OS layer, run CMD As Administrator, and do the following. This will trigger a new scan of critical OS system files to update our list of critical system files.

CD Program FilesUnideskUniservice

Uniservice.exe /B

<Reboot>

Then finalize that and test creating a new app layer again.

Otherwise, this is a system driver that has not been properly copied to the boot disk. This does not apply to OS and Platform layers because the boot disk is handled differently. But with App Layers, the boot disk is a thin disk that contains just enough Windows to get minifilter drivers running. 0xC000000F means we missed copying something to the boot disk.

Unfortunately, you can’t tell what we missed. What you need to do is version your OS layer to get a record of a successful boot. Login, run msinfo32, Boot, and enable Boot Logging. This will create a boot log file called C:Windowsntbtlog.txt that conatins, in order, every file loaded during boot. Reboot to generate the log, and copy it to a file share. Leave the packaging machine for the OS layer open, you will need it again in a minute.

On the packaging machine for the App Layer that fails to boot, attach your Windows installer ISO. Boot from that. When you get the the first Windows Setup dialog, type Shift-F10, which will bring up a command prompt window. In this machine, X: is the CD-ROM, C: is the mini boot disk, D: is the OS layer, and E: is the package disk. We care about C: and D:. Specifically, we care about what is in D: that is not in C: but should be.

Load up ntbtlog.txt in Notepad. In the command prompt window, type “C:” to get to the C drive, and then “CD Windowssystem32”. All of your important files will be in Windowssystem32 or windowssystem32drivers. Read through the ntbtlog.txt, and check that each file is on your C: drive. For any files which are not, copy them from the D: drive with a command like this:

XCOPY /CHOK D:Windowssystem32driversntosext.sys C:Windowssystem32drivers

The parameters to XCOPY ensure that the permissions and attributes are copied as well. Note every missing file. Once you have found and copied in the missing files, reboot from the hard drive, not the CD-ROM. Verify that your app layer now boots. Cancel the App Layer.

Back in the OS layer, edit C:Program FilesUnideskUniservicebootfile.txt. Add the correct path for the missing files to the bottom of bootfile.txt. Note that the directory separators are / instead of . So for instance, add the following line:

C:/Windows/system32/drivers/ntosext.sys

C:/Windows/system32/drivers/clipsp.sys

Save the file, finalize, and attempt to create a new app layer with the new OS version. If this works, please open a Support Case and let Citrix know about this file. Normally we would have picked it up with the Uniservice /B scan. We will likely ask for other information from your OS layer, including if you know what updates might have triggered this. However, with the modified bootfile.txt, you should be able to continue your deployment.

Related:

  • No Related Posts

Updating 14.0.1 to 14.2 MP1 – how long can I go without a restart

I need a solution

I’d like to start pusing out 14.2 MP1 via the “Admin > Install Packages > Upgrade Clients with Package” command.

I know that doing so will require a reboot of the endpoints,but I won’t be able to reboot some of my servers right away.  Will the endpoint still be fully functional if I let it sit without the restart for a couple of weeks?  Or do I need to restart within a day or two?

Thanks,

Brett

0

1545152257

Related:

  • No Related Posts

ghost64.exe license query

I need a solution

Hi,

I am working on create the windows 10 reference image. I created WinPE bootable USB with the ghost64.exe included. I will use the WinPE Boot to boot into the reference PC and clone the reference image for later deploy image to other machines on network.

My question is do I need to purchase a license for this scenario and how many license do I need for hundred laptops?

Thanks

Regards

Chi Chung

0

Related:

  • No Related Posts

Unable to live migrate VMs on AMD hardware

If you are running XenServer on any AMD Family 15h or 16h CPU (including Opteron 42xx, 43xx, 62xx, 63xx and 63xxP processors), attempts to live migrate a VM to a host that has an updated microcode (version 0x600063e) can fail with a VM_INCOMPATIBLE_WITH_THIS_HOST error. This is due to a CPU feature incompatibility issue.

The affected processors with microcode 0x600063e (or later) do not have the Light-Weight Profiling (LWP) feature which was present in previous microcode versions. Therefore, if you live migrate a VM running on a host that has the LWP feature to a host that does not have this feature, migration fails with a VM_INCOMPATIBLE_WITH_THIS_HOST error.

Environment

This issue occurs on AMD processors noted above with an updated microcode (version 0x600063e). The microcode version can change when you update your BIOS, install a XenServer update, or upgrade your XenServer host to a newer version.

Note that the following XenServer updates contain affected AMD microcode versions:

Releases of XenServer up to XenServer 7.5 do not include the affected AMD microcode until you apply one of the updates listed above.

To check the CPU microcode version:

  1. On a XenServer host, open a local shell and log on as ‘root’.
  2. Run the following command:
# cat /proc/cpuinfo | grep microcode

Related:

Re: Unable to boot to utility partition on VNX5300, help!

System is out of warranty and a lab system, its working but i want to reload the image on it because some configuration won’t let me delete it.

I boot it up with serial cable attached, and hit ctrl-c and per “Backrev Array” solution it’s supposed to do a Minisetup and reboot a few times. It never reboots it just sits at the “int13 – EXTENDED READ (4000)” and never goes further.

I rebooted it manually myself and try to start the process again but I just get this… any ideas?

ABCDabcdEFabcd << Stopping after POST >> GabcdefHabcdefIabcdefJabcdeKLabMabNabOabcPQRSTUVWabXYabZAABBCCabDDabcEEabcFFabcGGabcHHabcIIabJJabKKLLMMNNOOPPQQRRSSTTUUVVWWXX

************************************************************

* Extended POST Messages

************************************************************

INFORMATION: POST Start

INFORMATION: MCU Operating mode changed from Linux to Clariion

INFORMATION: PSB not present

************************************************************

EndTime: 10/28/2018 15:29:59

…. Storage System Failure – Contact your Service Representative …

*******

Enclosure: 0x0008000B : Added to Table

Motherboard: 0x00130009 : Added to Table

Memory: 0x00000001

DIMM 0: 0x00000001

DIMM 1: 0x00000001

DIMM 2: 0x00000001

Mezzanine: 0x00100007

I/O Module 0: 0x00000001 : Added to Table

I/O Module 1: 0x00000001 : Added to Table

Power Supply A: 0x000B0014

Power Supply B: 0x00000001

0x00130009: MCU 0540

0x00130009: CMDAPP 0504

0x00130009: CMDTABLE 0096

0x00130009: CMDBOOT 0002

0x00130009: PLX 0305

0x000B0014: PS FW 0027

Checksum valid

Relocating Data Directory Boot Service (DDBS: Rev. 05.03)…

DDBS: K10_REBOOT_DATA: Count = 1

DDBS: K10_REBOOT_DATA: State = 0

DDBS: K10_REBOOT_DATA: ForceDegradedMode = 0

DDBS: **** WARNING: SP rebooted unexpectedly before completing MiniSetup on the Utility Partition.

DDBS: MDDE (Rev 600) on disk 1

DDBS: MDDE (Rev 600) on disk 3

DDBS: MDB read from both disks.

DDBS: Chassis and disk WWN seeds match.

DDBS: First disk is valid for boot.

DDBS: Second disk is valid for boot.

Utility Partition image (0x0040000F) located at sector LBA 0x1453D802

Disk Set: 1 3

Total Sectors: 0x013BA000

Relative Sectors: 0x00000800

Calculated mirror drive geometry:

Sectors: 63

Heads: 255

Cylinders: 1287

Capacity: 20686848 sectors

Total Sectors: 0x013BA000

Relative Sectors: 0x00000800

Calculated mirror drive geometry:

Sectors: 63

Heads: 255

Cylinders: 1287

Capacity: 20686848 sectors

Stopping USB UHCI Controller…

Stopping USB UHCI Controller…

EndTime: 10/28/2018 15:33:37

int13 – RESET (1)

int13 – CHECK EXTENSIONS PRESENT (3)

int13 – CHECK EXTENSIONS PRESENT (5)

int13 – GET DRIVE PARAMETERS (Extended) (6)

int13 – EXTENDED READ (200)

int13 – EXTENDED READ (400)

int13 – EXTENDED READ (600)

int13 – READ PARAMETERS (800)

int13 – READ PARAMETERS (802)

int13 – DRIVE TYPE (803)

int13 – CHECK EXTENSIONS PRESENT (804)

int13 – GET DRIVE PARAMETERS (Extended) (805)

int13 – READ PARAMETERS (806)

int13 – EXTENDED WRITE (846)

int13 – EXTENDED WRITE (847)

int13 – EXTENDED WRITE (848)

int13 – READ PARAMETERS (964)

int13 – DRIVE TYPE (965)

int13 – CHECK EXTENSIONS PRESENT (966)

int13 – GET DRIVE PARAMETERS (Extended) (967)

int13 – READ PARAMETERS (968)

int13 – EXTENDED WRITE (997)

int13 – EXTENDED WRITE (998)

int13 – EXTENDED WRITE (999)

int13 – EXTENDED READ (1000)

int13 – EXTENDED WRITE (1012)

int13 – EXTENDED WRITE (1013)

int13 – EXTENDED WRITE (1014)

int13 – EXTENDED READ (1200)

int13 – EXTENDED READ (1400)

int13 – EXTENDED READ (1600)

int13 – EXTENDED READ (1800)

int13 – EXTENDED READ (2000)

int13 – EXTENDED READ (2200)

int13 – EXTENDED READ (2400)

int13 – EXTENDED READ (2600)

int13 – EXTENDED READ (2800)

int13 – EXTENDED READ (3000)

int13 – EXTENDED READ (3200)

int13 – EXTENDED READ (3400)

int13 – EXTENDED READ (3600)

int13 – EXTENDED READ (3800)

int13 – EXTENDED READ (4000)

It doesn’t seem to ever go past this… so I cannot move on to the next steps in the solution.

any help or experience with this would be much appreciated!

-M

Related:

  • No Related Posts

Re: VNX5100: SPA blinking amber rapidly while SPB blinking blue rapidly

Hello! i’ve just recieved this SAN i found that there were some config on it, and i decided it would be a good idea to factory reset it/reimage it.

After letting it sit for around 2-3 hours reimaging the system, i decided to reboot it.

When rebooting it, both SPA and SPB start blinking amber (normal) but then, SPB continues to boot (changes color to blue while flashing), but SPA is stuck in the amber fast blinking…

after letting them run for about 3 hours, there is no change. SPB blinks fast blue and SPA blinks fast amber.

I don’t have any support contract as this is for homelab-testing.

If anyone is still active when it comes to these discussions, any help would be appreciated!!

Related:

  • No Related Posts

Liveupdate cannot connect to server

I need a solution

Hi all,

Recently deployed SEP 14.0 RU1 MP2) to all Macs in my office.  At first the update process didnt work at all until “additional resources” SEP.mpkg and SEPSku.mpkg were installed which “fixes” the update problem.  However, after reboot Live update continues to fail with the error message stated in the title.  Any thoughts would be much appreciated

0

Related:

  • No Related Posts

Dual boot image windows10 and linux

I need a solution

Hi, has anyone actually managed to create and deploy an image of a dual boot system containing Win 10 & Linux?

I have got both operating systems working fine in just one partiton each yet everytime I sucessfully manage to create an image, it either fails to deploy successfully or it simply wont boot.

I think I have tried every combination of switches -ib -ia -ial also -id and -ntexact, I’ve even tried -ir but nothing works.

I’ve tried both legacy mode and Eufi mode, secure boot off, fast boot off etc.

If anyone has a clue how to do this, please help.

Thanks. Mike.

0

Related:

  • No Related Posts