[c-nsp] ISIS and CoPP on 760X

Frederic LOUI frederic.loui at renater.fr
Fri Sep 19 10:38:11 EDT 2008


Hi,

> My understanding is that you have to use class-default to match IS-IS 
> and a bunch of other things.  The Press book "Router Security 

In terms of security, I prefer to have a strict policy so that in 
class-default section, I'd rather drop everything that "I'm not aware of".


> Strategies" has a good amount of info on CoPP, complete with sample config.
I'll try to have a quick look.

The cornerstone for me is to identify if "match protocol 
clns|clns_is|clns_es" is available and can be applied on 760X using 
122-33SRC1 so that I can match ISIS pack in my "IGP class" and finally 
drop/apply low rate to everything in "class-default"

Thanks anyway for your pointer.
Bgrds/Frederic

> 
> Justin
> 
> Frederic LOUI wrote:
>>
>> Hi all,
>>
>> We're currently using Receive-ACL(s) in order to protect as much as
>> possible, ingress traffic coming to any router's interface. Actually,
>> this is possible on 12K IOS 12.0(32)S8.
>>
>> As far as I can see in CCO documentation, there is no equivalent to
>> receive-acl for 760X... In terms of "Control Plane Protection", it
>> seems that CoPP is the way to go ...
>>
>> In all kind of documentation it is easy to match ospf packet type
>> through ACL or the "match protocol ospf" statement. However, I'm
>> wondering how to match ISIS packet. (rACL do not filter ISIS packet)
>>
>> There are several available commands under class-map statement:
>> "match protocol clns"
>> "match protocol clns_is"
>> "match protocol clns_es"
>>
>> But because of various reasons I can't test these commands.
>> (I don't have a 760x test box yet ... ;-) )
>>
>> Anyone had any experience with CoPP and ISIS on 760x box ? (Target IOS
>> is 122-33.SRC1)
>>
>> I've seen in the forum's archive that this issue has already
>> discussed, but the conclusion is a bit outdated. (Maybe the platform
>> has considerably evolved ?? Apology if the question is obvious...) on
>>
>> Anyway,
>> Thanks all in advance for your help,
>>
>> Bgrds/Frederic
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list