cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7371
Views
5
Helpful
6
Replies

Nexus VTY Control

bs6825
Level 1
Level 1

How can you restrict SSH access to a Nexus except from a specific subnet? i know how to do this on an IOS device but don't see the access-class statement on the Nexus.

TIA

1 Accepted Solution

Accepted Solutions

Hi Bruce,

You can allow SNMP and HTTPS via CoPP. You can check out the following example

ip access-list copp-system-acl-allow

10 remark ### ALLOW SSH

20 permit tcp 10.10.10.0/24 any eq 22

30 remark ### ALLOW SNMP

40 permit udp 10.10.20.0/24 any eq snmp

... (to include snmp, NTP, TACACS+, etc)

ip access-list copp-system-acl-deny

10 remark ### this is a catch-all to match any other traffic

20 permit ip any any

class-map type control-plane match-any copp-system-class-management-allow

match access-group name copp-system-acl-allow

class-map type control-plane match-any copp-system-class-management-deny

match access-group name copp-system-acl-deny

policy-map type control-plane copp-system-policy

class copp-system-class-management-allow

police cir 60000 kbps bc 250 ms conform transmit violate drop

class copp-system-class-management-deny

police cir 60000 kbps bc 250 ms conform drop violate drop

control-plane

service-policy input copp-system-policy

HTH,

jerry

View solution in original post

6 Replies 6

Jerry Ye
Cisco Employee
Cisco Employee

Hi Bruce,

You have to apply the ACL in interface mgmt 0

N7010(config)# interface mgmt 0

N7010-1-Pod2(config-if)# ip ?

access-group Specify access control for packets

address Configure IP address on interface

HTH,

jerry

Will this control SSH to any interface on the box? Do I need to configure this in every VDC or just default?

Hi Bruce,

Just verified it, you can only control the outbound traffic with the command ip access-group in interface mgmt 0.

In order to control SSH to vty like IOS, you have to configure CoPP in the default VDC. There is an enhanced bug filed to correct this problem in the later release - CSCsq20638.

Sorry for the confusion.

Regards,

jerry

I tried messing around with COPP with no luck. Any other thoughts?

Also, Are there ways to similarly restrict SNMP and HTTPS access to a selected group of hosts/networks?

Thanks

Hi Bruce,

You can allow SNMP and HTTPS via CoPP. You can check out the following example

ip access-list copp-system-acl-allow

10 remark ### ALLOW SSH

20 permit tcp 10.10.10.0/24 any eq 22

30 remark ### ALLOW SNMP

40 permit udp 10.10.20.0/24 any eq snmp

... (to include snmp, NTP, TACACS+, etc)

ip access-list copp-system-acl-deny

10 remark ### this is a catch-all to match any other traffic

20 permit ip any any

class-map type control-plane match-any copp-system-class-management-allow

match access-group name copp-system-acl-allow

class-map type control-plane match-any copp-system-class-management-deny

match access-group name copp-system-acl-deny

policy-map type control-plane copp-system-policy

class copp-system-class-management-allow

police cir 60000 kbps bc 250 ms conform transmit violate drop

class copp-system-class-management-deny

police cir 60000 kbps bc 250 ms conform drop violate drop

control-plane

service-policy input copp-system-policy

HTH,

jerry

Thanks, I have made this work. One caveat, it only protects regular layer 3 interfaces, not the mgmt0 interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco