Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NSP
NXOS/NXAPI + CoPP
drew.weaver at thenap
Mar 12, 2021, 8:46 AM
Post #1 of 2 (292 views)
Permalink
Hi,

Does anyone have a document that explains the differences in CoPP in different devices that run NXOS?

It recently has come to my attention that the same image running on different hardware has wildly different capabilities and it doesn't seem to be documented what the capabilities are between the different hardware platforms.

I had one more specific question:

Does traffic destined for NXAPI hit the control plane?

It seems like the answer would be "of course it does" however I am having a whole lot of trouble using CoPP to limit access to NXAPI based on source IP address.

If anyone has successfully limited access to NXAPI based upon source ip address I would greatly appreciate any insights you can provide on how you did this.

Thanks,
-Drew

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: NXOS/NXAPI + CoPP [ In reply to ]
drew.weaver at thenap
Mar 12, 2021, 12:16 PM
Post #2 of 2 (291 views)
Permalink
Just to make the list whole:

It appears that you have to configure iptables in linux on NXOS in order to restrict access to NXAPI, seems crazy to me to spread out the security of the device to several different interfaces but I didn't design it.

Thanks,
-Drew


-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Drew Weaver
Sent: Friday, March 12, 2021 11:47 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] NXOS/NXAPI + CoPP

Hi,

Does anyone have a document that explains the differences in CoPP in different devices that run NXOS?

It recently has come to my attention that the same image running on different hardware has wildly different capabilities and it doesn't seem to be documented what the capabilities are between the different hardware platforms.

I had one more specific question:

Does traffic destined for NXAPI hit the control plane?

It seems like the answer would be "of course it does" however I am having a whole lot of trouble using CoPP to limit access to NXAPI based on source IP address.

If anyone has successfully limited access to NXAPI based upon source ip address I would greatly appreciate any insights you can provide on how you did this.

Thanks,
-Drew

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=F_kuTKCpVu8SGsqMLvb0NcvsjmB8_OgIWXKgxHe1dbQ&s=ATmXPsZKjAVL2WPRI4ojaPdPjzWKdRJGRJR9TuuQgmc&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=F_kuTKCpVu8SGsqMLvb0NcvsjmB8_OgIWXKgxHe1dbQ&s=xMiI5qcnWye8HAdtys1TjQCmZdd0wc6UzeGcSzxrUWc&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal