[c-nsp] Nexus 7k CoPP

Lincoln Dale ltd at cisco.com
Fri May 21 17:21:48 EDT 2010 

On 21/05/2010, at 12:53 PM, Jason Leblanc wrote:

> We are deploying a ton of Nexus 7ks right now.  Our traditional standard had
> a named ACL for SNMP, we also use transport input ssh and have an ACL
> allowing access for that,  Our tools are only allowed from certain segments
> etc...  On the 7k's the only option is to use CoPP.  Does anyone out there
> have a configuration example of how they used this?  Cisco said they are
> working on getting the old features added back in as a feature enhancement
> later on.

N7K NX-OS does have ACL on out-of-band mgmt0 -- but not the 'vty access-class' that you're used to in IOS.
if you are doing mgmt using out-of-band then you can keep doing it the way you always have.
if you are doing it 'inband' then yes you need to tune the CoPP policy to achieve what you want.

here is how you can do it with CoPP:

--
In order to use CoPP to achieve the equivalent of a VTY access-class, one needs to explicitly define ACLs used in the CoPP policy to match  ‘allowed’ traffic (and police that to a given rate) as well as define CoPP policies to match ‘denied’ traffic and drop that traffic.
CoPP is different from ACLs in that one cannot just use “deny ip any any’ as a policy, rather one needs to use ‘permit’ to match the undesired traffic then use the policer to ‘drop’ that traffic.

As an example, lets take an example of permitting access from the subnet 30.30.30.0/24, in order to deploy CoPP to provide the equivalent of a VTY access-class, it could be configured as follows.  In this particular policy, we are explicitly allowing telnet/ssh/snmp/NTP/RADIUS/TACACS+ inbound from 30.30.30/24 and anything outbound from the switch to 30.30.30.0/24.


ip access-list copp-system-acl-allow
  10 remark ### ALLOW TELNET from 30.30.30.0/24
  20 permit tcp 30.30.30.0/24 any eq telnet 
  30 permit tcp 30.30.30.0/24 any eq 107 
  40 remark ### ALLOW SSH from 30.30.30.0/24
  50 permit tcp 30.30.30.0/24 any eq 22 
  60 remark ### ALLOW SNMP from 30.30.30.0/24
  70 permit udp 30.30.30.0/24 any eq snmp 
  80 remark ### ALLOW TACACS from 30.30.30.0/24
  90 permit tcp 30.30.30.0/24 any eq tacacs 
  100 remark ### ALLOW RADIUS from 30.30.30.0/24
  110 permit udp 30.30.30.0/24 any eq 1812 
  120 permit udp 30.30.30.0/24 any eq 1813 
  130 permit udp 30.30.30.0/24 any eq 1645 
  140 permit udp 30.30.30.0/24 any eq 1646 
  150 permit udp 30.30.30.0/24 eq 1812 any 
  160 permit udp 30.30.30.0/24 eq 1813 any 
  170 permit udp 30.30.30.0/24 eq 1645 any 
  180 permit udp 30.30.30.0/24 eq 1646 any 
  190 remark ### ALLOW NTP from 30.30.30.0/24
  200 permit udp 30.30.30.0/24 any eq ntp 
  210 remark ### ALLOW ALL OUTBOUND traffic TO 30.30.30.0/24
  220 permit ip any 30.30.30.0/24
  statistics  # keep statistics on matches
ip access-list copp-system-acl-deny
  10 remark ### this is a catch-all to match any other traffic
  20 permit ip any any
  statistics  # keep statistics on matches
class-map type control-plane match-any copp-system-class-management-allow
  match access-group name copp-system-acl-allow
class-map type control-plane match-any copp-system-class-management-deny
  match access-group name copp-system-acl-deny
policy-map type control-plane copp-system-policy 
    class copp-system-class-management-allow
        police cir 60000 kbps bc 250 ms conform transmit violate drop 
    class copp-system-class-management-deny
        police cir 60000 kbps bc 250 ms conform drop violate drop 
control-plane
  service-policy input copp-system-policy 


The key points here are that:
	• we use a class to match the traffic we want to allow (with a policer allowing transmit @ 60000 kbps)
	• for all other traffic we explicitly allow it (but with a policer set to drop the traffic)


cheers,

lincoln.

More information about the cisco-nsp mailing list