[c-nsp] Converting policy-map from IOS to NXOS no "conform drop"

Paul paul at gtcomm.net
Sun Jan 24 02:54:11 EST 2021


Depending on what ASIC is it, you simply set it to police 0 pps, no 
other way around it. Same deal with LPTS on XR platform.

On 1/22/2021 8:07 AM, Drew Weaver wrote:
> Hello,
>
> Sorry to bother you all, this should be my last question regarding NXOS.
>
> I'm converting some CoPP configuration from IOS to NXOS.
>
> Specifically in IOS 15 we have an explicit deny specified like this:
>
> class-map match-all CoPP4-DROP
>    match access-group name CoPP4_DROP
> class CoPP4-DROP
>     police 32000 1500 1500    conform-action drop     exceed-action drop
> ip access-list extended CoPP4_DROP
> remark CoPP entry to deny all other traffic
> permit ip any any
>
> in NXOS there does not appear to be any way to drop all traffic defined in a class entry. (i.e. conform drop)
>
> I opened a ticket with TAC and they indicated that a bug (CSCut8113) was created for this but the developers ignored it without commenting.
>
> Is there no need to drop traffic that isn't specifically permitted in NXOS? The TAC technician just told me that I would just have to allow the minimum amount of traffic, which seems to defeat the entire purpose.
>
> As always thank you,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list