Mailing List Archive: NXOS 9508 Meta ACL on devices that don't support uRPF

Hello.

I've been working with a Nexus9508 and I noticed that it totally lacks the ability to do uRPF except for on two line cards.

I was thinking about using ACLs applied to the L3 interfaces that specify that only the IP addresses assigned to the interfaces are allowed to transmit traffic outbound to discard spoofing.

Prior to doing that I just wanted to see if there was another way to achieve the goal of only allowing traffic sourced from hosts in the same subnet as the L3 interface to pass through an interface.

If not is there any way to create a meta ACL in NXOS that compares the IP addresses assigned to the interface automatically so that it will automatically track changes?

Instead of permit ip x.x.x.x y.y.y.y any
permit ip vlan303 any

I can just automate the creation and updating of the ACLs but that seems like a tragic use of time just to solve a problem that was already solved in the 1990s.

I may not understand everything about the underlying platform but it seems like Cisco could have just made uRPF work a different way in 9508 if the hardware doesn't support the traditional way it normally works.

If anyone has any suggestions let me know please.
-Drew

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hello,

This issue was resolved by upgrading to version 9.3(6) even though the documentation indicates that it should not be supported (?).

Just updating the list for continuity.

Thanks,
-Drew

-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Drew Weaver
Sent: Tuesday, February 16, 2021 9:17 AM
To: 'cisco-nsp@puck.nether.net' <cisco-nsp@puck.nether.net>
Subject: [c-nsp] NXOS 9508 Meta ACL on devices that don't support uRPF

Hello.

I've been working with a Nexus9508 and I noticed that it totally lacks the ability to do uRPF except for on two line cards.

I was thinking about using ACLs applied to the L3 interfaces that specify that only the IP addresses assigned to the interfaces are allowed to transmit traffic outbound to discard spoofing.

Prior to doing that I just wanted to see if there was another way to achieve the goal of only allowing traffic sourced from hosts in the same subnet as the L3 interface to pass through an interface.

If not is there any way to create a meta ACL in NXOS that compares the IP addresses assigned to the interface automatically so that it will automatically track changes?

Instead of permit ip x.x.x.x y.y.y.y any permit ip vlan303 any

I can just automate the creation and updating of the ACLs but that seems like a tragic use of time just to solve a problem that was already solved in the 1990s.

I may not understand everything about the underlying platform but it seems like Cisco could have just made uRPF work a different way in 9508 if the hardware doesn't support the traditional way it normally works.

If anyone has any suggestions let me know please.
-Drew

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=n_9tZ0GEbWnPW7Sl5JixB5yjQBJxlHNhPuz_TFK8no0&s=PPd_f2HY2HKrwOdVSw3eMZfAEPV5pM7FcnTtQfsWX_I&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=n_9tZ0GEbWnPW7Sl5JixB5yjQBJxlHNhPuz_TFK8no0&s=gbiw7t5JOAU6_RlBPTw0kLiwko7BuqFsecVe3KerS7U&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/