[F10-nsp] OS10 Enterprise CoPP

Drew Weaver drew.weaver at thenap.com
Mon Jan 6 14:31:56 EST 2020


Hello everyone, I am new to Dell OS10 and I am trying to configure CoPP but it seems like it doesn't allow you to specify src/dst IP addresses in CoPP policies.

This seems pretty bad because if it counts all BGP packets the same regardless of their source you could easily DoS a switch just by sending more BGP packets to it than is configured in the CoPP policy.

I am more used to the following:

class-map match-any CoPP4-CRITICAL
  match access-group name CoPP4_CRITICAL
class-map match-any CoPP4-DROP
  match access-group name CoPP4_DROP

policy-map CoPP-Policy
  class CoPP4-CRITICAL
   police 512000 8000    conform-action transmit     exceed-action transmit
  class CoPP4-DROP
   police 32000 1500 1500    conform-action drop     exceed-action drop

ip access-list extended CoPP4_CRITICAL
remark this is critical
permit tcp host src.ip host dst.ip eq bgp
permit tcp host src.ip host dst.ip eq bgp

ip access-list extended CoPP4_DROP
remark CoPP entry to deny all other traffic to CPU
permit ip any any

control-plane
service-policy input CoPP-Policy
!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/force10-nsp/attachments/20200106/e47d6480/attachment.htm>


More information about the force10-nsp mailing list