Comware

I ran Nessus scanning for HPE 5140 EI switch and I got vulnerability listed about "IP forwarding enabled" https://www.tenable.com/plugins/nessus/50686. I don't need routing in my switches. I have one ip (vlan interface) for ssh connection for this switch. I want can't find they way disable IP forwarding/routing. There is no command no ip routing etc. like in ArubaOS etc. I was able to tackle all these vulnerabilities except this one. I would appreciate help with this.

hello

If the switch has an "interface vlan" with an IP address, the routing process is activated.

I guess you won't suppress the IP address (which means that you won't be able to manage it).

Did you set the IP management address in a dedicated VLAN (to create a "management VLAN") ? If not, you should, it's a good practice.

You can disable common services to lower exposure to threats :

 undo ftp server enable

 undo ip http enable

 undo ip https enable

 undo telnet server enable

and even set an ACL to restrict to SSH only (if you need help about this, just ask on the forum)

Do you confirm this switch only has 1 ip address (in 1 VLAN interface) ?

I ran Nessus scanning for HPE 5140 EI switch and I got vulnerability listed about "IP forwarding enabled" https://www.tenable.com/plugins/nessus/50686. I don't need routing in my switches. I have one ip (vlan interface) for ssh connection for this switch. I want can't find they way disable IP forwarding/routing. There is no command no ip routing etc. like in ArubaOS etc. I was able to tackle all these vulnerabilities except this one. I would appreciate help with this.

Hi,

Yes switch has only one IP address and it's in the management VLAN (network). Thanks for the tips, I'll try to disable those services. I think some of those are disabled by default if not enabled?
I found one discussion in StackExchange which recommended to create access-list to deny any ip and apply it to VLAN interface:

acl number 3006 name "traffic rules VLAN 6" match-order configrule deny ipint vlan 6ip address 10.6.1.100 16packet-filter 3006 outbound

This works somehow at least vulnerability scanner perspective but I'm not sure if that's the correct way.

hello

If the switch has an "interface vlan" with an IP address, the routing process is activated.

I guess you won't suppress the IP address (which means that you won't be able to manage it).

Did you set the IP management address in a dedicated VLAN (to create a "management VLAN") ? If not, you should, it's a good practice.

You can disable common services to lower exposure to threats :

 undo ftp server enable

 undo ip http enable

 undo ip https enable

 undo telnet server enable

and even set an ACL to restrict to SSH only (if you need help about this, just ask on the forum)

Do you confirm this switch only has 1 ip address (in 1 VLAN interface) ?

I ran Nessus scanning for HPE 5140 EI switch and I got vulnerability listed about "IP forwarding enabled" https://www.tenable.com/plugins/nessus/50686. I don't need routing in my switches. I have one ip (vlan interface) for ssh connection for this switch. I want can't find they way disable IP forwarding/routing. There is no command no ip routing etc. like in ArubaOS etc. I was able to tackle all these vulnerabilities except this one. I would appreciate help with this.