[c-nsp] ISIS and CoPP on 760X
Shankar Vemulapalli (svemulap)
svemulap at cisco.com
Fri Sep 19 16:31:06 EDT 2008
Take a look at the release note of the CSCsb96106 on CCO which offers
good config. info.
Also, you need to have 'mls qos protocol isis pass-through' global
command.
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp
1014614
Hope it helps.
/Shankar
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frederic LOUI
Sent: Friday, September 19, 2008 7:38 AM
To: Justin Shore
Cc: cisco-nsp
Subject: Re: [c-nsp] ISIS and CoPP on 760X
Hi,
> My understanding is that you have to use class-default to match IS-IS
> and a bunch of other things. The Press book "Router Security
In terms of security, I prefer to have a strict policy so that in
class-default section, I'd rather drop everything that "I'm not aware
of".
> Strategies" has a good amount of info on CoPP, complete with sample
config.
I'll try to have a quick look.
The cornerstone for me is to identify if "match protocol
clns|clns_is|clns_es" is available and can be applied on 760X using
122-33SRC1 so that I can match ISIS pack in my "IGP class" and finally
drop/apply low rate to everything in "class-default"
Thanks anyway for your pointer.
Bgrds/Frederic
>
> Justin
>
> Frederic LOUI wrote:
>>
>> Hi all,
>>
>> We're currently using Receive-ACL(s) in order to protect as much as
>> possible, ingress traffic coming to any router's interface. Actually,
>> this is possible on 12K IOS 12.0(32)S8.
>>
>> As far as I can see in CCO documentation, there is no equivalent to
>> receive-acl for 760X... In terms of "Control Plane Protection", it
>> seems that CoPP is the way to go ...
>>
>> In all kind of documentation it is easy to match ospf packet type
>> through ACL or the "match protocol ospf" statement. However, I'm
>> wondering how to match ISIS packet. (rACL do not filter ISIS packet)
>>
>> There are several available commands under class-map statement:
>> "match protocol clns"
>> "match protocol clns_is"
>> "match protocol clns_es"
>>
>> But because of various reasons I can't test these commands.
>> (I don't have a 760x test box yet ... ;-) )
>>
>> Anyone had any experience with CoPP and ISIS on 760x box ? (Target
IOS
>> is 122-33.SRC1)
>>
>> I've seen in the forum's archive that this issue has already
>> discussed, but the conclusion is a bit outdated. (Maybe the platform
>> has considerably evolved ?? Apology if the question is obvious...) on
>>
>> Anyway,
>> Thanks all in advance for your help,
>>
>> Bgrds/Frederic
>>
>>
>>
------------------------------------------------------------------------
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list