[c-nsp] NXOS 9508 Meta ACL on devices that don't support uRPF

Drew Weaver drew.weaver at thenap.com
Tue Feb 16 09:17:19 EST 2021


I've been working with a Nexus9508 and I noticed that it totally lacks the ability to do uRPF except for on two line cards.

I was thinking about using ACLs applied to the L3 interfaces that specify that only the IP addresses assigned to the interfaces are allowed to transmit traffic outbound to discard spoofing.

Prior to doing that I just wanted to see if there was another way to achieve the goal of only allowing traffic sourced from hosts in the same subnet as the L3 interface to pass through an interface.

If not is there any way to create a meta ACL in NXOS that compares the IP addresses assigned to the interface automatically so that it will automatically track changes?

Instead of permit ip x.x.x.x y.y.y.y any
permit ip vlan303 any

I can just automate the creation and updating of the ACLs but that seems like a tragic use of time just to solve a problem that was already solved in the 1990s.

I may not understand everything about the underlying platform but it seems like Cisco could have just made uRPF work a different way in 9508 if the hardware doesn't support the traditional way it normally works.

If anyone has any suggestions let me know please.

More information about the cisco-nsp mailing list