Restrict incoming traffic to Nexus 9k switch with public IP addresses

manoman · ‎07-28-2024

The switch model: Cisco Nexus 90108TC-EX ver 9.3(13)

We are trying to restrict incoming traffic locally to the above switch.
The switch acts as a router for a number of interfaces so there are public ip addresses defined, both ipv4 and ipv6 including on the loopback interface.
We want the following to work and block everything else (fake IP addresses):

192.0.2.0/24 to ports like ssh, snmp (management interface)
198.51.100.0/24 and 2001:db8:2::/48 for protocol ospf
203.0.113.0/24 and 2001:db8:3::/48 for port bgp

We have been looking at COPP but don’t understand how to only allow traffic to/from the prefixes above.

How can we achieve this? Are there maybe some better ways to do this?

Thanks!

marce1000 · ‎07-28-2024

- FYI : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_01010.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎07-29-2024

I think You need to use

Vlan access-map

Restricted some IP

MHM

manoman · ‎08-09-2024

Thanks. Will try more when my colleague is back from vacation.