Solved: Re: Nexus VTY Control

bs6825 · ‎07-28-2009

How can you restrict SSH access to a Nexus except from a specific subnet? i know how to do this on an IOS device but don't see the access-class statement on the Nexus.

TIA

Jerry Ye · ‎08-03-2009

Hi Bruce,

You can allow SNMP and HTTPS via CoPP. You can check out the following example

ip access-list copp-system-acl-allow

10 remark ### ALLOW SSH

20 permit tcp 10.10.10.0/24 any eq 22

30 remark ### ALLOW SNMP

40 permit udp 10.10.20.0/24 any eq snmp

... (to include snmp, NTP, TACACS+, etc)

ip access-list copp-system-acl-deny

10 remark ### this is a catch-all to match any other traffic

20 permit ip any any

class-map type control-plane match-any copp-system-class-management-allow

match access-group name copp-system-acl-allow

class-map type control-plane match-any copp-system-class-management-deny

match access-group name copp-system-acl-deny

policy-map type control-plane copp-system-policy

class copp-system-class-management-allow

police cir 60000 kbps bc 250 ms conform transmit violate drop

class copp-system-class-management-deny

police cir 60000 kbps bc 250 ms conform drop violate drop

control-plane

service-policy input copp-system-policy

HTH,

jerry

View solution in original post

Jerry Ye · ‎07-28-2009

Hi Bruce,

You have to apply the ACL in interface mgmt 0

N7010(config)# interface mgmt 0

N7010-1-Pod2(config-if)# ip ?

access-group Specify access control for packets

address Configure IP address on interface

HTH,

jerry

bs6825 · ‎07-28-2009

Will this control SSH to any interface on the box? Do I need to configure this in every VDC or just default?

Jerry Ye · ‎07-28-2009

Hi Bruce,

Just verified it, you can only control the outbound traffic with the command ip access-group in interface mgmt 0.

In order to control SSH to vty like IOS, you have to configure CoPP in the default VDC. There is an enhanced bug filed to correct this problem in the later release - CSCsq20638.

Sorry for the confusion.

Regards,

jerry

bs6825 · ‎08-03-2009

I tried messing around with COPP with no luck. Any other thoughts?

Also, Are there ways to similarly restrict SNMP and HTTPS access to a selected group of hosts/networks?

Thanks

Jerry Ye · ‎08-03-2009

Hi Bruce,

You can allow SNMP and HTTPS via CoPP. You can check out the following example

ip access-list copp-system-acl-allow

10 remark ### ALLOW SSH

20 permit tcp 10.10.10.0/24 any eq 22

30 remark ### ALLOW SNMP

40 permit udp 10.10.20.0/24 any eq snmp

... (to include snmp, NTP, TACACS+, etc)

ip access-list copp-system-acl-deny

10 remark ### this is a catch-all to match any other traffic

20 permit ip any any

class-map type control-plane match-any copp-system-class-management-allow

match access-group name copp-system-acl-allow

class-map type control-plane match-any copp-system-class-management-deny

match access-group name copp-system-acl-deny

policy-map type control-plane copp-system-policy

class copp-system-class-management-allow

police cir 60000 kbps bc 250 ms conform transmit violate drop

class copp-system-class-management-deny

police cir 60000 kbps bc 250 ms conform drop violate drop

control-plane

service-policy input copp-system-policy

HTH,

jerry

bs6825 · ‎08-05-2009

Thanks, I have made this work. One caveat, it only protects regular layer 3 interfaces, not the mgmt0 interface.