Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
10
Helpful
4
Replies

Nexus 9300 CoPP, I can't put "conform drop", only permit "transmit

bicacisco3
Level 1
Level 1

‎08-25-2021 08:41 AM

Hi everyone,
I am wanting to block port 9075 with Copp policies and it does not allow me to put DROP in the action "conform", it only allows me to "transmit".
I saw other examples and it allows it .... What can be missing?


N9300-BUE(config)# policy-map type control-plane NUEVA-copp-policy-strict
N9300-BUE(config-pmap)# class CM-BLOQUEO-PUERTO-9075
N9300-BUE(config-pmap-c)#
N9300-BUE(config-pmap-c)# police 1 conform ?
transmit Transmit the packet

 

Thanks

Labels:
0 Helpful
4 Replies 4

pman
Spotlight
Spotlight

‎08-26-2021 11:13 AM - edited ‎08-26-2021 12:29 PM

Hi,

 

You did not specify why you decided to deny traffic specifically on this port 9075, but I guess it's related to CVE-2021-1361.

 

 

The case is described in the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-3000-9000-fileaction-QtLzDRy2

 

Workarounds

Using infrastructure access control lists (iACLs) to allow only strictly required management and control plane traffic that is destined to the affected device, as recommended in the Cisco Guide to Securing NX-OS Software Devices, would prevent remote exploitation of this vulnerability. Customers are advised to explicitly deny all TCP packets that are destined to a locally configured IP address with a destination port of 9075 as part of their iACLs. A customized control plane policing (CoPP) policy may also be used to drop all TCP port 9075 traffic that is destined to an affected device.

Customers are advised to first evaluate the impact of configuration changes to the device and their security policy. Customers who are concerned about undesired or unexpected side effects are advised to contact their support organization before implementing configuration changes.

In addition, local exploitation of this vulnerability is possible if the NX-OS features bash or guestshell are enabled. There is no workaround or mitigation for a local attacker with valid device credentials; however, customers are advised to follow best practices for account management as outlined in the Cisco Guide to Securing NX-OS Software Devices - Use Authentication, Authorization, and Accounting.

 

And this is the way to do it:

control plane

https://tools.cisco.com/security/center/resources/securing_nx_os.html#_Toc303633228

management

https://tools.cisco.com/security/center/resources/securing_nx_os.html#_Toc303633192

bicacisco3
Level 1
Level 1

‎08-26-2021 12:18 PM

Hi,

Yes, it is to filter port 9075 by CVE-2021-1361

The issue is that I want to filter it through COPP, but it is not letting me put to block traffic in the "conform drop" command

 

I have the COPP policy applied:
policy-map type control-plane NEW-copp-policy-strict

 

I have defined the access-list for the class:
ip access-list extended AL-COPP-FILTER-ACCESS
permit tcp any any eq 9075

 

I have defined the class:
class-map type control-plane match-all CM-BLOCK-PORT-9075
match access-group name AL-COPP-FILTER-ACCESS

 

And when I want to apply in the configuration the action that blocks the traffic defined in the class (conform drop) does not allow it, it only allows conform transmit.
My intention is to put "conform drop violate drop"

 

This is what I get by configuring:
N9300-BUE (config) # policy-map type control-plane NEW-copp-policy-strict
N9300-BUE (config-pmap) # class CM-BLOCK-PORT-9075
N9300-BUE (config-pmap-c) #
N9300-BUE (config-pmap-c) # police 1 conform?
transmit Transmit the packet

 

I tried with cir in the definition and neither and in the examples is that you can put drop ...
Thanks.

0 Helpful

Georg Pauwen
VIP
VIP
In response to bicacisco3

‎08-26-2021 12:43 PM

Hello,

 

I think you can police a cir of 0 bc 0, can you check if the 9300 accepts the below, which effectively achieves the same thing, which is dropping all traffic in the class ?

 

police cir 0 bc 0 conform transmit violate drop

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card