[c-nsp] Baseline CoPP policies?

nasir.shaikh at bt.com nasir.shaikh at bt.com
Sat Jul 25 08:54:43 EDT 2009 

Hi,
I had a MAN running on 12 6504Es and I have had to connect one of the
boxes directly to an ISP switch to deliver Internet to a remote FW.

As the MAN was fairly protected I had not implemented CoPP but now it is
mandatory and needs to be implemented fast.
Does anyone have a template that I can build on? Preferably in
conjuction with the special-cases rate-limiters.

I am running BGP, IS-IS, EIGRP, MPLS, BFD, HSRP, EoMPLS on the box
connecting to the ISP. However, on the interface connecting to the ISP
there is nothing except HSRP and the only traffic that I expect from
that interface is transit traffic to the remote FW. So I am thinking
that an iACL on the interface should also be sufficient till I have had
the time to develop and test the CoPP config.

I am running 12.2(18)SXF16 adv ip on the 6504-E.

Any ideas?

Nasir Shaikh 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniel Dib
Sent: 09 July 2009 06:31
To: 'Justin Shore'; 'Siva Valliappan'
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Baseline CoPP policies?

Sorry for toppost. It would be nice to be able to match IS-IS directly
but
there are workarounds. Either have a class that matches all IP that is
left
after all your other classes, not class-default. The only thing that
will be
left after that is IS-IS. Or use mls qos protocol passthrough if you
want to
police IS-IS, if there is a meaning policing it.

/Daniel

Justin Shore wrote:

One thing that the documentation always lacks is sufficient info on 
handling IS-IS with CoPP.  The inability of IOS to match IS-IS traffic 
without using class-default is a major problem.  Of all the people that 
would need CoPP (people with publicly exposed routers like SPs) one 
would think that IS-IS support for CoPP would be a big deal.

Is there a specific dev group within Cisco that I can point my account 
team to that would be the one to consider my feature request.

Justin


Siva Valliappan wrote:
> Hi Drew,
> 
>    have you looked at the following docs:
> 
> http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
> 
> and
> 
>
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642
/pro
d_white_paper0900aecd804fa16a.html 
 

__________ Information from ESET NOD32 Antivirus, version of virus
signature
database 4225 (20090708) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list