[c-nsp] Nexus 7k CoPP

[Lincoln Dale]

On 24/05/2010, at 11:18 AM, Dobbins, Roland wrote:

> 
> On May 24, 2010, at 4:51 AM, Lincoln Dale wrote:
> 
>> the irony is that CoPP is actually a superior solution to the problem, as CoPP is enforced in the h/w forwarding path - whereas a vty access-class is applied in software once the packets have already hit the control-plane.
> 
> The best way to accomplish this is to deploy iACLs first and CoPP later, IMHO.  iACLs are much easier to craft, run in hardware - and they protect not only edge devices, but everything behind those edge devices.

actually, CoPP is not hard as such because if anything you don't have to be specific as to what the 'destination' is, since its only ever matching against traffic already destined to control-plane, 

this is kinda neat because it means for example if you wanted to block SNMP into your switch/router via inband you could construct an ACL with an ACL that effectively just matches based on L4 operations without regard to IP address(es):
	permit udp any any eq snmp
since its only matching against traffic that is by definition going to head to control-plane, not general data-plane.

note that for a 'deny snmp from everywhere', one quirk of CoPP is that it would in fact be a 'permit' operation with a police rate of 0bps or a police action of 'drop'.  a bit quirky but ok once you are used to it.


> 
> Here's a link to a presentation which discusses infrastructure self-protection, including both iACLs and CoPP:
> <http://files.me.com/roland.dobbins/prguob>

speaking specifically for the architecture of Nexus 7000 / NX-OS, the presentation doesn't actually accurately reflect the 'punt path' attack vectors, since CoPP is enforced within the ingress-forwarding path of the data-plane, i.e. on the ingress port/module itself, not on the "RP" inband port or software running on control-plane itself.

but certainly for the platforms listed in that ppt its accurate.


cheers,

lincoln.