[c-nsp] Nexus 7k CoPP

Fri May 21 17:19:27 EDT 2010

I've found in this mailing list archives an answer I wrote to someone else:
==================================================
Here are a couple of links that helped me out when I needed it the first time

This one contains some info about CoPP, thought it's quite an old document, it's still relevant http://aharp.ittns.northwestern.edu/papers/copp.html 

You may also consider securing the device all around, not only by CoPP, here's some useful info about Cisco security, this one is maintained and updated regularly. http://www.cymru.com/Documents/secure-ios-template.html 

==================================================

Following the above recommendations, this is what I've came up with and use it on my border routers:

ip access-list standard CP-DEFAULT
 permit any
!
ip access-list extended CP-CRITICAL-ROUTING
 permit tcp any any eq bgp
ip access-list extended CP-ICMP
 permit icmp any any echo
ip access-list extended CP-NTP
 permit udp any any eq ntp
ip access-list extended CP-SNMP
 permit tcp any any eq 161
 permit tcp any any eq 162
ip access-list extended CP-TCP-SYN
 permit tcp any any syn
!
class-map match-any CP-TCP-SYN
 match access-group name CP-TCP-SYN
class-map match-any CP-IMPORTANT-NTP
 match access-group name CP-NTP
class-map match-any CP-ICMP
 match access-group name CP-ICMP
class-map match-any CP-CRITICAL-ROUTING
 match access-group name CP-CRITICAL-ROUTING
class-map match-any CP-IMPORTANT-SNMP
 match access-group name CP-SNMP
class-map match-any CP-DEFAULT
 match access-group name CP-DEFAULT
!
!
policy-map CONTROL-PLANE
 class CP-TCP-SYN
  police cir 100000 bc 3125 be 3125
    conform-action transmit 
    exceed-action drop 
    violate-action drop 
 class CP-CRITICAL-ROUTING
  police cir 1000000 bc 31250 be 31250
    conform-action transmit 
    exceed-action drop 
    violate-action drop 
 class CP-IMPORTANT-SNMP
  police cir 100000 bc 3125 be 3125
    conform-action transmit 
    exceed-action drop 
    violate-action drop 
 class CP-IMPORTANT-NTP
  police cir 500000 bc 15625 be 15625
    conform-action transmit 
    exceed-action drop 
    violate-action drop 
 class CP-ICMP
  police cir 2000000 bc 15625 be 15625
    conform-action transmit 
    exceed-action drop 
    violate-action drop 
 class CP-DEFAULT
  police cir 3000000 bc 31250 be 31250
    conform-action transmit 
    exceed-action drop 
    violate-action drop 
!
control-plane
 service-policy input CONTROL-PLANE

I don't know if all the settings will fit on your platform, and also you may want or need to change some settings to fit your environment, but I guess this can give you something to start with.
Hope it helps
Ziv

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Leblanc
Sent: Friday, May 21, 2010 10:54 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Nexus 7k CoPP

Hello,

We are deploying a ton of Nexus 7ks right now.  Our traditional standard had
a named ACL for SNMP, we also use transport input ssh and have an ACL
allowing access for that,  Our tools are only allowed from certain segments
etc...  On the 7k's the only option is to use CoPP.  Does anyone out there
have a configuration example of how they used this?  Cisco said they are
working on getting the old features added back in as a feature enhancement
later on.

Thanks,

//LeBlanc
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************