Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature

2019-03-06T16:00:00
ID CISCO-SA-20190306-INFO-POAP
Type cisco
Reporter Cisco
Modified 2019-03-06T15:36:50

Description

Cisco Nexus devices support an automatic provisioning or zero-touch deployment feature called PowerOn Auto Provisioning (POAP). This feature assists in automating the initial deployment and configuration of Nexus switches. POAP is enabled by default and activates on devices that have no startup configuration or when Perpetual POAP has been configured using the boot poap enable command.

As with other automatic provisioning technologies, such as Cisco Zero-Touch Provisioning or Cisco Smart Install, some basic assumptions are made about the initial deployment environment. First, that administrators know that the feature exists and is enabled by default. Second, that the Layer 2 (L2) network on which a device initially connects is secure.

By design, the POAP feature leverages several unauthenticated protocols to obtain the initial configuration file for a device. When a device with POAP boots and subsequently fails to locate a startup configuration, such as on the first startup after unboxing or after a restoration of factory defaults, the device enters POAP mode. The device will attempt to locate a DHCP server through a connected management interface1. Then the switch will listen for a DHCP response that includes at a minimum the following:

  An IP address

A default gateway Option 66 (TFTP server name) or Option 150 (TFTP server address) Option 67 (boot file name)

If the Nexus device receives multiple DHCP responses that meet these requirements, the first DHCP response received will be accepted, and POAP will move to the next stage of the device configuration. If no DHCP responses that meet these requirements are received prior to the timeout period, the device will exit POAP mode.

If a DHCP response is accepted, the Nexus device will attempt to connect to the provided TFTP server to retrieve the Python or Tool Command Language (Tcl) POAP configuration script specified within the boot file option. The switch will then execute the script to retrieve the specified software and device configuration. The Nexus device software and configuration may be retrieved using Secure Copy Protocol (SCP), FTP, or SFTP. The downloaded Nexus software will be assigned as the active image, with the configuration file scheduled to be applied when the device restarts.

Several steps in the POAP configuration process rely on a secure network segment to obtain critical startup information. While the POAP feature disables itself after a configuration is applied to a device2, it is critical that customers properly secure the networks in which POAP may be utilized. Some customers may want to disable the POAP feature and use other methods to configure a Nexus device out of the box. To this end, Cisco has added multiple new commands to disable POAP that will persist across a reset to factory defaults and the removal of a configuration. For guidelines on securing a POAP environment, as well as information about disabling the feature, see the Details ["#Details"] and Recommendations ["#Recommendations"] sections. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-info-poap ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-info-poap"]

1On some Nexus chassis-based devices, the DHCP solicitation may also be sent using all front-panel Ethernet interfaces of the installed router processor.

2The POAP feature will not be disabled if Perpetual POAP has been configured using the boot poap enable command and will run on each reload of the device.