Solved: Re: secure 3064 control plane

blackmetal · ‎10-09-2020

Hello,

i have a N3k_C3064PQ-10GX and i want to secure control plane, i want to permit only trusted ip address and deny all other ips, because i am using dynamic ips it s hard to tune the access lists,

so is there anyway that in C3064 permit only trusted ip address and deny other ips?

i have searched a lot but ithas only police action and has only predefined copp rules,

THanks,

Reza Sharifi · ‎10-09-2020

You can do it with access-list

example:

deny tcp any x.x.x.0 0.0.1.255 eq 179

or

deny tcp any x.x.x.0 0.0.1.255 eq bgp

HTH

View solution in original post

Reza Sharifi · ‎10-09-2020

Hi,

If the switch is facing the internet, you would need a couple of access lists to block unwanted traffic.

HTH

blackmetal · ‎10-09-2020

yes, its connected to the internet, i have applied some acl on line vty, but still it shows some ports such tcp/179/bgp is open, so if i just drop tcp 179 on my uplink its enough?

how can i see open ports on my nexus to see if ineed to drop them

Reza Sharifi · ‎10-09-2020

You can do it with access-list

example:

deny tcp any x.x.x.0 0.0.1.255 eq 179

or

deny tcp any x.x.x.0 0.0.1.255 eq bgp

HTH

blackmetal · ‎10-09-2020

it seems only tcp is open , how can i find other open ports and block them ?

Reza Sharifi · ‎10-09-2020

You can try:

"sh sockets connection" to see a list but be careful what you are blocking.

HTH