[c-nsp] ISIS and CoPP on 760X

Saku Ytti saku+cisco-nsp at ytti.fi
Fri Sep 19 11:15:53 EDT 2008


On (2008-09-19 09:28 -0500), Justin Shore wrote:

> My understanding is that you have to use class-default to match IS-IS  
> and a bunch of other things.  The Press book "Router Security  
> Strategies" has a good amount of info on CoPP, complete with sample 
> config.

I would recommend against using class-default in pfc3b or pfc3c
if you are running L3 MPLS VPN's in same box, as this will
increase your internal VLAN usage and decrease pps performance
for L3 MPLS VPN's due to disabling VPN-CAM.

Just make last rule of your CoPP catch all IP, which is
deny,deny,deny policed. Non matching traffic (such as CLNS)
will jut flow through.

-- 
  ++ytti


More information about the cisco-nsp mailing list