Re: [c-nsp] Nexus Architecture question

Wed, 02 Jun 2021 14:35:55 -0700

--- Begin Message --- 
Hi Drew, 

In answer to your question about BGP, the BGP process runs only on the 
supervisor engine, it does not run on the linecards or anywhere else. It's a 
single process, not a per-interface process or anything like that.

Curious how exactly you are configuring CoPP to filter this? With default CoPP, 
I get an "open/tcpwrapped" (green) response on TCP 179; I was able to get a 
"filtered" (red) response by adding a CoPP class that matches on BGP and 
polices to a CIR of 0. I preceeded that class with a class that matches on a 
specific neighborship - that BGP neighborship is successfully established while 
nmap still returns as filtered from my host.

ip access-list allow-bgp
  10 permit tcp 10.1.1.1/32 gt 1023 10.1.1.2/32 eq bgp
  20 permit tcp 10.1.1.2/32 eq bgp 10.1.1.1/32 gt 1023
ip access-list drop-bgp
  10 permit tcp any any eq bgp
  20 permit tcp any eq bgp any
!
class-map type control-plane match-any allow-bgp
  match access-group name allow-bgp
class-map type control-plane match-any drop-bgp
  match access-group name drop-bgp
!
policy-map type control-plane test-copp-policy-strict
  class allow-bgp
    set cos 7
    police cir 36000 kbps bc 1280000 bytes conform transmit violate drop
  class drop-bgp
    police cir 0 bps bc 32000 bytes conform transmit violate drop


Hope that helps,
Tim



-----Original Message-----
From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Drew Weaver
Sent: Wednesday, June 2, 2021 6:41 AM
To: 'cisco-nsp@puck.nether.net' <cisco-nsp@puck.nether.net>
Subject: [c-nsp] Nexus Architecture question

Has anyone seen a document from Cisco that shows where various processes 
running on various Nexus switches actually run from?

For example on a 9508 the nxapi runs in a Linux VM and in order to secure it 
you have to drop into the VM and use iptables.

I am trying to figure out where the BGP process lives (for lack of a better 
word). Does it run on the line cards? In the control plane? Both? Does it vary 
depending on which model and which line cards?

The reason I am asking is because I've noticed that no matter what I do I 
cannot seem to "close" the BGP port by using CoPP.

It always shows up as being open when doing a port scan against the system 
using NMAP. I know that the switch should not establish a connection with 
random hosts but I really am getting hung up on it being 'scannable'/visible at 
all.


_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

--- End Message ---
_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to