Re: Restrict incoming traffic to Nexus 9k switch with public IP addres

manoman · ‎07-28-2024

The switch model: Cisco Nexus 90108TC-EX ver 9.3(13)

We are trying to restrict incoming traffic locally to the above switch.
The switch acts as a router for a number of interfaces so there are public ip addresses defined, both ipv4 and ipv6 including on the loopback interface.
We want the following to work and block everything else (fake IP addresses):

192.0.2.0/24 to ports like ssh, snmp (management interface)
198.51.100.0/24 and 2001:db8:2::/48 for protocol ospf
203.0.113.0/24 and 2001:db8:3::/48 for port bgp

We have been looking at COPP but don’t understand how to only allow traffic to/from the prefixes above.

How can we achieve this? Are there maybe some better ways to do this?

Thanks!

manoman · ‎07-28-2024

I think I posted this in wrong area... how can I move it or delete my post?

MHM Cisco World · ‎07-28-2024

I dont think CoPP will prevent traffic to box

Try use vlan access-map

Prevent any traffic to specific SVI

MHM

balaji.bandi · ‎07-28-2024

check the below guide and ACL :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_010010.htm...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Restrict incoming traffic to Nexus 9k switch with public IP addresses