11-25-2018 06:43 PM - edited 03-08-2019 04:40 PM
I have several Nexus 3000-series switches acting as TOR switches, each having multiple SVI's that act as default gateways for clients. The VLANs reside purely on the switch and do not trunk anywhere else -- the switch routes the packets to an aggregation router from the SVI's.
My issue is that each SVI IP address is now a method of accessing the switch. For example, I could SSH into any L3 IP address on the switch (and I couldn't find a way to restrict this). Additionally, services such as NXApi, SNMP, HTTP, and BGP are all open on all of these IP addresses.
I've created an access-list with several network object-groups in an attempt to restrict access to these services, but it seems like traffic destined towards the management plane do not honor these ACL's.
object-group ip address ipv4-system 10 host 1.1.1.1 20 host 2.2.2.2 object-group ip address ipv4-nxapi 10 host 1.1.1.5
20 host 3.3.3.3 ip access-list ipv4-system-ingress 10 remark NXApi 20 permit tcp addrgroup ipv4-nxapi 1.1.1.1/32 eq 8083 30 deny tcp any addrgroup ipv4-system eq 8083 50 remark HTTP 60 deny tcp any addrgroup ipv4-system eq www interface Vlan10 no shutdown ip address 1.1.1.1/24 ip access-group ipv4-system-ingress in interface Vlan20 no shutdown ip address 2.2.2.2/24 ip access-group ipv4-system-ingress in
For example, if I'm a host on VLAN 10 with IP address 1.1.1.2, I'm able to access the switch's NXApi server despite sequence 30 in the ACL.
However, if I put some external IP (not on the switch's management plane) in the ipv4-system object-group, the ACL works as expected and access is restricted from non-authorized hosts.
11-25-2018 07:36 PM
you will need to apply the ACL to the "line vty" an refer to the ACL using "access class <name> in"
11-25-2018 08:03 PM
11-25-2018 08:37 PM
I am not sure if Nexus ACL have an implicit deny any any on the end, so can you put the deny any any on the end of an ACL that you can use for testing?
11-25-2018 08:52 PM
They do have an implicit deny at the end of them, although I'm not sure how that would apply to my specific situation?
The only thing I can seem to come up with at this point is using a modified CoPP service policy with police pps set to zero, although that comes with its own issues and limitations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide