[c-nsp] CoPP for SSH on nexus 7k. Confused!

Shanawaz shanawaz at gmail.com
Thu Oct 21 00:08:37 EDT 2010


Point taken. The moral of the story is 'dont put a deny statement in your
CoPP ACL's'

Thanks a lot for the replies.

On Thu, Oct 21, 2010 at 12:40 PM, Lincoln Dale <ltd at cisco.com> wrote:

> On 21/10/2010, at 12:05 PM, Shanawaz wrote:
> > If my testing doesnot make sense, I can try explaining again.
>
> your tests make perfect sense and just reiterate what i said up front.  a
> 'deny' won't do what you think it does.
>
> net-net:
>  1. use a 'permit' ACL to match the traffic you want, set a policy of
> 'transmit' with whatever rate you want.
>  2. use a 'permit' ACL to match the traffic you want to block, set a policy
> of 'drop'.
>
> i.e. ALL CoPP ACLs end up being 'permit', never 'deny'.
>
> think of it like a QoS ACL, it behaves the same way.
>
>
> cheers,
>
> lincoln.
>
> >
> > Regards.
> > Shanawaz
> >
>
>


More information about the cisco-nsp mailing list