Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
1
Helpful
2
Replies

Cat9500 - How filter traffic to SVI IP address ?

s.fasel
Level 1
Level 1

‎08-24-2023 06:20 AM

Hi,

I would like to deny SSH and SNMP traffic to an ip address of a SVI. Before with the cat4500x, it was possible to drop this traffic with QoS and an ACL on Control Plane like this:

   class-map match-all NON_OOB_INTERFACE
    match access-group name SNMP_AND_SSH_TO_NON_OOB_INTERFACE

    policy-map CONTROL_PLANE_POLICING
     class NON_OOB_INTERFACE
      police 32000 conform-action drop exceed-action drop

    ip access-list extended SNMP_AND_SSH_TO_NON_OOB_INTERFACE
        permit tcp any any eq 22
        permit udp any any eq snmp

With the "conform-action drop" in the police, it was possible to deny all traffic SSH and SNMP to the SVI interface. But now, with the Cat9500, it's not possible to do a  "conform-action drop" in a police on the control plane.

If I apply directly an ACL on the SVI, this ACL drops traffic that crosses through the SVI, but not the traffic to the ip address of the SVI.

Somebody knows a solution to drop traffic to an ip address of a SVI ?

thanks for your help

best regards

Sam

Labels:
2 Replies 2

M02@rt37
VIP
VIP

‎08-24-2023 08:59 AM

Hello @s.fasel,

What about ACL on vty for deny ssh towards the targeted IP and other ACL on the snmp-server command for the same purpose ?

You could consider VLAN ACL also.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

s.fasel
Level 1
Level 1
In response to M02@rt37

‎08-25-2023 12:19 AM

Hi M02@rt37,

thanks for your response.. I have already apply ACL on vty and ACL on the snmp-server command but for me it's not enough.. I take the example of snmp ...

With ACL on snmp-server command, I can filter for example the ip address or subnet that have access to my SVI via SNMP, but this does not drop traffic from unauthorized IP addresses. Because the SNMP port is always open on my SVI, and the ip adress of the SVI responds to a SNMP request from unauthorized IP addresses. My goal is to drop all traffic SNMP on my SVI address (that my SVI doesn't send response to an unauthorized IP addresses) and it's not possible with ACL on snmp-server command, and with ACL directly on the SVI.

I have try VACL (VLAN ACL) but apparently, the VACL drops SNMP traffic in VLAN but not on the SVI address.

Another solution, it's to drop this SNMP traffic to SVI address since the neighboring router, but I don't have access to the configuration of this another router.

Another ideas to drop all SNMP traffic on SVI address (with a configuration on the same router) ?

Thanks

0 Helpful
Customers Also Viewed These Support Documents