[c-nsp] NXOS 9508 Meta ACL on devices that don't support uRPF

Drew Weaver drew.weaver at thenap.com
Wed Feb 17 08:24:16 EST 2021


This issue was resolved by upgrading to version 9.3(6) even though the documentation indicates that it should not be supported (?).

Just updating the list for continuity.


-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Drew Weaver
Sent: Tuesday, February 16, 2021 9:17 AM
To: 'cisco-nsp at puck.nether.net' <cisco-nsp at puck.nether.net>
Subject: [c-nsp] NXOS 9508 Meta ACL on devices that don't support uRPF


I've been working with a Nexus9508 and I noticed that it totally lacks the ability to do uRPF except for on two line cards.

I was thinking about using ACLs applied to the L3 interfaces that specify that only the IP addresses assigned to the interfaces are allowed to transmit traffic outbound to discard spoofing.

Prior to doing that I just wanted to see if there was another way to achieve the goal of only allowing traffic sourced from hosts in the same subnet as the L3 interface to pass through an interface.

If not is there any way to create a meta ACL in NXOS that compares the IP addresses assigned to the interface automatically so that it will automatically track changes?

Instead of permit ip x.x.x.x y.y.y.y any permit ip vlan303 any

I can just automate the creation and updating of the ACLs but that seems like a tragic use of time just to solve a problem that was already solved in the 1990s.

I may not understand everything about the underlying platform but it seems like Cisco could have just made uRPF work a different way in 9508 if the hardware doesn't support the traditional way it normally works.

If anyone has any suggestions let me know please.

cisco-nsp mailing list  cisco-nsp at puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=n_9tZ0GEbWnPW7Sl5JixB5yjQBJxlHNhPuz_TFK8no0&s=PPd_f2HY2HKrwOdVSw3eMZfAEPV5pM7FcnTtQfsWX_I&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=n_9tZ0GEbWnPW7Sl5JixB5yjQBJxlHNhPuz_TFK8no0&s=gbiw7t5JOAU6_RlBPTw0kLiwko7BuqFsecVe3KerS7U&e=

More information about the cisco-nsp mailing list