From drew.weaver at thenap.com Mon Jan 6 14:31:56 2020 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 6 Jan 2020 19:31:56 +0000 Subject: [F10-nsp] OS10 Enterprise CoPP Message-ID: <2c529d9cf8ed4c4e99ed32db6a26cb94@EXCHANGE2K13.thenap.com> Hello everyone, I am new to Dell OS10 and I am trying to configure CoPP but it seems like it doesn't allow you to specify src/dst IP addresses in CoPP policies. This seems pretty bad because if it counts all BGP packets the same regardless of their source you could easily DoS a switch just by sending more BGP packets to it than is configured in the CoPP policy. I am more used to the following: class-map match-any CoPP4-CRITICAL match access-group name CoPP4_CRITICAL class-map match-any CoPP4-DROP match access-group name CoPP4_DROP policy-map CoPP-Policy class CoPP4-CRITICAL police 512000 8000 conform-action transmit exceed-action transmit class CoPP4-DROP police 32000 1500 1500 conform-action drop exceed-action drop ip access-list extended CoPP4_CRITICAL remark this is critical permit tcp host src.ip host dst.ip eq bgp permit tcp host src.ip host dst.ip eq bgp ip access-list extended CoPP4_DROP remark CoPP entry to deny all other traffic to CPU permit ip any any control-plane service-policy input CoPP-Policy ! -------------- next part -------------- An HTML attachment was scrubbed... URL: