[c-nsp] Converting policy-map from IOS to NXOS no "conform drop"
Jeffrey G. Fitzwater
jfitz at princeton.edu
Fri Jan 22 10:15:00 EST 2021
Just use
conform drop violate drop
That's what we do.
jeff Fitzwater
EIS Network Systems & Monitoring
Princeton University
________________________________
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Drew Weaver <drew.weaver at thenap.com>
Sent: Friday, January 22, 2021 8:07 AM
To: 'cisco-nsp at puck.nether.net' <cisco-nsp at puck.nether.net>
Subject: [c-nsp] Converting policy-map from IOS to NXOS no "conform drop"
Hello,
Sorry to bother you all, this should be my last question regarding NXOS.
I'm converting some CoPP configuration from IOS to NXOS.
Specifically in IOS 15 we have an explicit deny specified like this:
class-map match-all CoPP4-DROP
match access-group name CoPP4_DROP
class CoPP4-DROP
police 32000 1500 1500 conform-action drop exceed-action drop
ip access-list extended CoPP4_DROP
remark CoPP entry to deny all other traffic
permit ip any any
in NXOS there does not appear to be any way to drop all traffic defined in a class entry. (i.e. conform drop)
I opened a ticket with TAC and they indicated that a bug (CSCut8113) was created for this but the developers ignored it without commenting.
Is there no need to drop traffic that isn't specifically permitted in NXOS? The TAC technician just told me that I would just have to allow the minimum amount of traffic, which seems to defeat the entire purpose.
As always thank you,
-Drew
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list