[F10-nsp] OS10 Enterprise CoPP
Drew Weaver
drew.weaver at thenap.com
Mon Jan 6 14:31:56 EST 2020
Hello everyone, I am new to Dell OS10 and I am trying to configure CoPP but it seems like it doesn't allow you to specify src/dst IP addresses in CoPP policies.
This seems pretty bad because if it counts all BGP packets the same regardless of their source you could easily DoS a switch just by sending more BGP packets to it than is configured in the CoPP policy.
I am more used to the following:
class-map match-any CoPP4-CRITICAL
match access-group name CoPP4_CRITICAL
class-map match-any CoPP4-DROP
match access-group name CoPP4_DROP
policy-map CoPP-Policy
class CoPP4-CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP4-DROP
police 32000 1500 1500 conform-action drop exceed-action drop
ip access-list extended CoPP4_CRITICAL
remark this is critical
permit tcp host src.ip host dst.ip eq bgp
permit tcp host src.ip host dst.ip eq bgp
ip access-list extended CoPP4_DROP
remark CoPP entry to deny all other traffic to CPU
permit ip any any
control-plane
service-policy input CoPP-Policy
!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/force10-nsp/attachments/20200106/e47d6480/attachment.htm>
More information about the force10-nsp
mailing list