[c-nsp] Converting policy-map from IOS to NXOS no "conform drop"

Drew Weaver drew.weaver at thenap.com
Tue Feb 2 09:05:40 EST 2021


I had one other quick question about this.

I've copied the strict copp policy and made it a lot more specific (like /32s are allowed to connect to certain services).

When I do a port scan of the switch it is still showing SSH (albeit closed), https, and BGP as being open.

I am assuming I am just doing something wrong but if you port scan your devices do those ports show as being open?

-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Paul
Sent: Sunday, January 24, 2021 2:54 AM
To: 'cisco-nsp at puck.nether.net' <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] Converting policy-map from IOS to NXOS no "conform drop"

Depending on what ASIC is it, you simply set it to police 0 pps, no other way around it. Same deal with LPTS on XR platform.

On 1/22/2021 8:07 AM, Drew Weaver wrote:
> Hello,
>
> Sorry to bother you all, this should be my last question regarding NXOS.
>
> I'm converting some CoPP configuration from IOS to NXOS.
>
> Specifically in IOS 15 we have an explicit deny specified like this:
>
> class-map match-all CoPP4-DROP
>    match access-group name CoPP4_DROP
> class CoPP4-DROP
>     police 32000 1500 1500    conform-action drop     exceed-action drop
> ip access-list extended CoPP4_DROP
> remark CoPP entry to deny all other traffic permit ip any any
>
> in NXOS there does not appear to be any way to drop all traffic 
> defined in a class entry. (i.e. conform drop)
>
> I opened a ticket with TAC and they indicated that a bug (CSCut8113) was created for this but the developers ignored it without commenting.
>
> Is there no need to drop traffic that isn't specifically permitted in NXOS? The TAC technician just told me that I would just have to allow the minimum amount of traffic, which seems to defeat the entire purpose.
>
> As always thank you,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCH
> GfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=k30HHAtwdCv5fndLRtkHwmGerPVzNub1R
> mVACVGjekM&e= archive at 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
> fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bN
> W8BlQt7lCDY8HVuAecFkv54MSm0&s=OlUAHB8oR1JQmyVFZFfLtaO4slpPt9YzttnDiM7j
> rew&e=
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=k30HHAtwdCv5fndLRtkHwmGerPVzNub1RmVACVGjekM&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=OlUAHB8oR1JQmyVFZFfLtaO4slpPt9YzttnDiM7jrew&e=


More information about the cisco-nsp mailing list