Hi, This might be a little too platform/vendor specific for this group so I apologize in advance if that is the case. Does anyone have a working example of CoPP on NXOS which limits things like BGP, SSH, and the NXAPI HTTPS interface to a specific remote /32 and blocks everything else that is not specifically allowed in the ACLs attached to the classes? I've had a ticket open /w TAC for a month and I'm actually getting nowhere. Thank you so much, -Drew
Setting the "conform" & "violate" actions to "drop" for a class with appropriate ACL matching seems to work: policy-map type control-plane copp-policy-whatever ! other classes ... class copp-class-undesirable-junk set cos 0 police cir 32 kbps bc 310 ms conform drop violate drop ! other classes ... The rates are irrelevant in that case, but still required. _________________________________________________ Jay Ford, Network Engineering, University of Iowa email: jay-ford@uiowa.edu, phone: 319-335-5555 On Wed, 17 Feb 2021, Drew Weaver wrote:
This might be a little too platform/vendor specific for this group so I apologize in advance if that is the case.
Does anyone have a working example of CoPP on NXOS which limits things like BGP, SSH, and the NXAPI HTTPS interface to a specific remote /32 and blocks everything else that is not specifically allowed in the ACLs attached to the classes?
I’ve had a ticket open /w TAC for a month and I’m actually getting nowhere.
Thank you so much,
-Drew
participants (2)
-
Drew Weaver
-
Jay Ford