[c-nsp] CoPP for SSH on nexus 7k. Confused!

Lincoln Dale ltd at cisco.com
Wed Oct 20 04:29:41 EDT 2010


On 20/10/2010, at 4:42 PM, Shanawaz wrote:

> 1. I assume this is happening because all traffic is matching the deny
> statement in the ACL copp-system-acl-telnet. What does the deny in an CoPP
> ACL do?

in the context of a CoPP policy: nothing.  its not valid to have a 'deny' IP ACL matching a CoPP policy.  it effectively won't match anything.

> 2. Isnt there a 'deny ip any any'by default at the end of all access-lists.
> In this case.. even the ACL copp-system-acl-ssh would have a deny ip any any
> at the end.

implicit deny is not there for CoPP, because CoPP is closer to QoS in behavior that it only 'matches' against permit statements.

also note that 'class-default' CoPP class-map may be allowing this traffic although your policy you listed below looks entirely valid.

> I have tried my best to explain, but then if you dont understand the
> scenario, I can try again ;)

your CoPP policy looks valid which makes me think of two possibilities:
 1. you are connecting to the vty via out-of-band mgmt0 which is in the management vrf.  since its out-of-band the inband CoPP policy does not apply.
 2. your new CoPP is not actually applied.  you will need to do 'conf t; control-plane; no service-policy input copp-system-policy; service-policy input copp-system-policy' to reapply it.  take note of the timestamp on "show copp status" and output/content of "show policy-map interface control-plane".


cheers,

lincoln.





More information about the cisco-nsp mailing list