Nexus 9300 CoPP, I can't put "conform drop", only permit "transmit

bicacisco3 · ‎08-25-2021

Hi everyone,
I am wanting to block port 9075 with Copp policies and it does not allow me to put DROP in the action "conform", it only allows me to "transmit".
I saw other examples and it allows it .... What can be missing?

N9300-BUE(config)# policy-map type control-plane NUEVA-copp-policy-strict
N9300-BUE(config-pmap)# class CM-BLOQUEO-PUERTO-9075
N9300-BUE(config-pmap-c)#
N9300-BUE(config-pmap-c)# police 1 conform ?
transmit Transmit the packet

Thanks

pman · ‎08-26-2021

Hi,

You did not specify why you decided to deny traffic specifically on this port 9075, but I guess it's related to CVE-2021-1361.

The case is described in the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-3000-9000-fileaction-QtLzDRy2

Workarounds

Using infrastructure access control lists (iACLs) to allow only strictly required management and control plane traffic that is destined to the affected device, as recommended in the Cisco Guide to Securing NX-OS Software Devices, would prevent remote exploitation of this vulnerability. Customers are advised to explicitly deny all TCP packets that are destined to a locally configured IP address with a destination port of 9075 as part of their iACLs. A customized control plane policing (CoPP) policy may also be used to drop all TCP port 9075 traffic that is destined to an affected device.

Customers are advised to first evaluate the impact of configuration changes to the device and their security policy. Customers who are concerned about undesired or unexpected side effects are advised to contact their support organization before implementing configuration changes.

In addition, local exploitation of this vulnerability is possible if the NX-OS features bash or guestshell are enabled. There is no workaround or mitigation for a local attacker with valid device credentials; however, customers are advised to follow best practices for account management as outlined in the Cisco Guide to Securing NX-OS Software Devices - Use Authentication, Authorization, and Accounting.

And this is the way to do it:

control plane

https://tools.cisco.com/security/center/resources/securing_nx_os.html#_Toc303633228

management

https://tools.cisco.com/security/center/resources/securing_nx_os.html#_Toc303633192

bicacisco3 · ‎08-26-2021

Hi,

Yes, it is to filter port 9075 by CVE-2021-1361

The issue is that I want to filter it through COPP, but it is not letting me put to block traffic in the "conform drop" command

I have the COPP policy applied:
policy-map type control-plane NEW-copp-policy-strict

I have defined the access-list for the class:
ip access-list extended AL-COPP-FILTER-ACCESS
permit tcp any any eq 9075

I have defined the class:
class-map type control-plane match-all CM-BLOCK-PORT-9075
match access-group name AL-COPP-FILTER-ACCESS

And when I want to apply in the configuration the action that blocks the traffic defined in the class (conform drop) does not allow it, it only allows conform transmit.
My intention is to put "conform drop violate drop"

This is what I get by configuring:
N9300-BUE (config) # policy-map type control-plane NEW-copp-policy-strict
N9300-BUE (config-pmap) # class CM-BLOCK-PORT-9075
N9300-BUE (config-pmap-c) #
N9300-BUE (config-pmap-c) # police 1 conform?
transmit Transmit the packet

I tried with cir in the definition and neither and in the examples is that you can put drop ...
Thanks.

Georg Pauwen · ‎08-26-2021

Hello,

I think you can police a cir of 0 bc 0, can you check if the 9300 accepts the below, which effectively achieves the same thing, which is dropping all traffic in the class ?

police cir 0 bc 0 conform transmit violate drop

pman · ‎08-26-2021

you can create police then set it to police 0 pps

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/7x/b_Cisco_n3k_Security_Config_7x/b_Cisco_n3k_Security_Config_7x_chapter_01011.html#concept_C3F23CFF2AC0438FA012D405DC885C1E