[c-nsp] ISIS and CoPP on 760X
Justin Shore
justin at justinshore.com
Fri Sep 19 10:28:22 EDT 2008
My understanding is that you have to use class-default to match IS-IS
and a bunch of other things. The Press book "Router Security
Strategies" has a good amount of info on CoPP, complete with sample config.
Justin
Frederic LOUI wrote:
>
> Hi all,
>
> We're currently using Receive-ACL(s) in order to protect as much as
> possible, ingress traffic coming to any router's interface. Actually,
> this is possible on 12K IOS 12.0(32)S8.
>
> As far as I can see in CCO documentation, there is no equivalent to
> receive-acl for 760X... In terms of "Control Plane Protection", it
> seems that CoPP is the way to go ...
>
> In all kind of documentation it is easy to match ospf packet type
> through ACL or the "match protocol ospf" statement. However, I'm
> wondering how to match ISIS packet. (rACL do not filter ISIS packet)
>
> There are several available commands under class-map statement:
> "match protocol clns"
> "match protocol clns_is"
> "match protocol clns_es"
>
> But because of various reasons I can't test these commands.
> (I don't have a 760x test box yet ... ;-) )
>
> Anyone had any experience with CoPP and ISIS on 760x box ? (Target IOS
> is 122-33.SRC1)
>
> I've seen in the forum's archive that this issue has already
> discussed, but the conclusion is a bit outdated. (Maybe the platform
> has considerably evolved ?? Apology if the question is obvious...) on
>
> Anyway,
> Thanks all in advance for your help,
>
> Bgrds/Frederic
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list