[c-nsp] NXOS/NXAPI + CoPP

Drew Weaver drew.weaver at thenap.com
Fri Mar 12 15:16:47 EST 2021

Just to make the list whole:

It appears that you have to configure iptables in linux on NXOS in order to restrict access to NXAPI, seems crazy to me to spread out the security of the device to several different interfaces but I didn't design it.


-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Drew Weaver
Sent: Friday, March 12, 2021 11:47 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NXOS/NXAPI + CoPP


Does anyone have a document that explains the differences in CoPP in different devices that run NXOS?

It recently has come to my attention that the same image running on different hardware has wildly different capabilities and it doesn't seem to be documented what the capabilities are between the different hardware platforms.

I had one more specific question:

Does traffic destined for NXAPI hit the control plane?

It seems like the answer would be "of course it does" however I am having a whole lot of trouble using CoPP to limit access to NXAPI based on source IP address.

If anyone has successfully limited access to NXAPI based upon source ip address I would greatly appreciate any insights you can provide on how you did this.


cisco-nsp mailing list  cisco-nsp at puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=F_kuTKCpVu8SGsqMLvb0NcvsjmB8_OgIWXKgxHe1dbQ&s=ATmXPsZKjAVL2WPRI4ojaPdPjzWKdRJGRJR9TuuQgmc&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=F_kuTKCpVu8SGsqMLvb0NcvsjmB8_OgIWXKgxHe1dbQ&s=xMiI5qcnWye8HAdtys1TjQCmZdd0wc6UzeGcSzxrUWc&e=

More information about the cisco-nsp mailing list