NEXUS CoPP Configuration

The controlling of management access on the Nexus 7000 is very different than other Cisco routers and switches. The VTY lines are pretty much gone. There is a single VTY and the only configurable option is the idle timeout. Management access is controlled through the management interface (mgmt 0) which is associated to the vrf called management. This vrf is configured by default on all VDC’s as well as the management or root context. The management interface in each VDC is a logical interface that is tied to the physical interface on the supervisor. That’s right all mgmt 0 interfaces are part of the management vrf and all connectivity for that vrf goes through the Supervisors management port. As an FYI, all management IP’s have the same MAC as the physical interface.

 

The next management feature is controlling access to the control plane. For example we want to block management access to the layer 3 ports for increased security. We will allow management protocols to the management interface so we can still access the switch. By default the Nexus 7000 comes with a CoPP policy, but it allows too many protocols and insecure protocols, so we’ll write our own. Here’s an example.
This first ACL will block all the traffic we don’t explicitly allow in our other ACLs. Notice it is a permit. We must permit the traffic so we can drop in our class map.
ip access-list copp-system-acl-deny
 10 remark Deny ALL traffic that is not explicity permitted
 20 permit ip any any
In this ACL we will allow EIGRP so the routing protocol can establish adjacencies.
ip access-list copp-system-acl-eigrp
 10 permit eigrp any any
Here we allow the redundant gateway protocols (GLBP & HSRP)
ip access-list copp-system-acl-glbp
 10 permit udp any eq 3222 224.0.0.0/24 eq 3222
ip access-list copp-system-acl-hsrp
 10 permit udp any 224.0.0.0/24 eq 1985
Next we all ICMP echo and echo reply so we can ping the interface during troubleshooting
ip access-list copp-system-acl-icmp
 10 permit icmp any any echo
 20 permit icmp any any echo-reply
Here we allow PIM since we have multicast on the network
ip access-list copp-system-acl-pim
 10 permit pim any 224.0.0.0/24
 20 permit udp any any eq pim-auto-rp
 30 permit ahp any 224.0.0.13/32
ip access-list copp-system-acl-pim-reg
 10 permit pim any any
Finally, an ACL for traceroute
ip access-list copp-system-acl-traceroute
 10 permit icmp any any ttl-exceeded
 20 permit icmp any any port-unreachable
Next are the class maps which reference the ACLs above
This class map has the critical applications like our routing protocol
class-map type control-plane match-any copp-system-class-critical
 match access-group name copp-system-acl-eigrp
 match access-group name copp-system-acl-pim
This is a class that polices things we don’t normally see. We allow just in case, but police it so it doesn’t get out of control
class-map type control-plane match-any copp-system-class-exception
 match exception ip option
 match exception ip icmp unreachable
Here’s a class map for the second most important items. As you can see this covers GLBP & HSRP
class-map type control-plane match-any copp-system-class-important
 match access-group name copp-system-acl-glbp
 match access-group name copp-system-acl-hsrp
 match access-group name copp-system-acl-pim-reg
Here is our deny policy map. It refers to the permit ip any any ACL above. In the next session we’ll see how we drop the traffic
class-map type control-plane match-any copp-system-class-management-deny
 match access-group name copp-system-acl-deny
This is for our troubleshooting protocols
class-map type control-plane match-any copp-system-class-monitoring
 match access-group name copp-system-acl-icmp
 match access-group name copp-system-acl-traceroute
The next two are for other protocols that need a general policy
class-map type control-plane match-any copp-system-class-normal
 match protocol arp
class-map type control-plane match-any copp-system-class-redirect
 match redirect arp-inspect
Finally we create our policy map. The policy map consists of the class maps we created above. Under the global policy we have each of the class maps and we associate a policy, like policing or dropping, to each.
policy-map type control-plane copp-system-policy
The first one is our critical class map. Here we give the class map the bandwidth of 39600 kbps and a burst of 250. Anything above that and the traffic is violated and dropped. The rest are of the same principle
 class copp-system-class-critical
  police cir 39600 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-important
  police cir 1060 kbps bc 1000 ms conform transmit violate drop
 class copp-system-class-normal
  police cir 680 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-redirect
  police cir 280 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-monitoring
  police cir 130 kbps bc 1000 ms conform transmit violate drop
 class copp-system-class-exception
  police cir 360 kbps bc 250 ms conform transmit violate drop
Here is our special drop policy. If you read it carefully you will see that any traffic that conforms to the policy will be dropped! All violated traffic will also be dropped! Referring back to the ACL it was a permit ip any.
 class copp-system-class-management-deny
  police cir 60000 kbps bc 250 ms conform drop violate drop
 class class-default
  police cir 100 kbps bc 250 ms conform transmit violate drop
The last thing to do is apply our policy map to the control plane
control-plane
 service-policy input copp-system-policy

183 Comments on “NEXUS CoPP Configuration”

  1. Pingback: buy cialis
  2. Pingback: buy viagra
  3. Pingback: cialis
  4. Pingback: viagra
  5. Pingback: sildenafil 100mg
  6. Pingback: cialis generic
  7. Pingback: cialis coupon
  8. Pingback: cialis 20mg
  9. Pingback: generic cialis
  10. Pingback: cialis online
  11. Pingback: tadalafil 5mg
  12. Pingback: tadalafil 20mg
  13. Pingback: viagra tablets
  14. Pingback: sildenafil
  15. Pingback: tadalafil
  16. Pingback: cialis dosage
  17. Pingback: cialis prices
  18. Pingback: cialis tablets
  19. Pingback: viagra vs cialis
  20. Pingback: generic viagra
  21. Pingback: viagra connect
  22. Pingback: viagra natural
  23. Pingback: cialis vs viagra
  24. Pingback: tadalafil 20 mg
  25. Pingback: tadalafil generic
  26. Pingback: cialis 20 mg
  27. Pingback: cialis 5 mg
  28. Pingback: cialis pills
  29. Pingback: cheap cialis
  30. Pingback: cialis coupons
  31. Pingback: cialis canada
  32. Pingback: sildenafil citrate
  33. Pingback: viagra pills
  34. Pingback: viagra 100mg
  35. Pingback: viagra online
  36. Pingback: viagra prices
  37. Pingback: viagra generic
  38. Pingback: viagra coupons
  39. Pingback: cheap viagra
  40. Pingback: buy viagra online
  41. Pingback: viagra tablet
  42. Pingback: sildenafil 20 mg
  43. Pingback: sildenafil 100
  44. Pingback: buy biaxin
  45. Pingback: buy ceftin
  46. Pingback: buy chloromycetin
  47. Pingback: buy biaxin online
  48. Pingback: buy ceftin online
  49. Pingback: chloromycetin
  50. Pingback: buy cordarone
  51. Pingback: female viagra
  52. Pingback: sildenafil tablets
  53. Pingback: prednisone 20 mg
  54. Pingback: buy sildenafil
  55. Pingback: sildenafil generic
  56. Pingback: sildenafil 50 mg
  57. Pingback: sildenafil coupons
  58. Pingback: sildenafil 100 mg
  59. Pingback: buy cialis online
  60. Pingback: cialis tadalafil
  61. Pingback: free bitcoin cash
  62. Pingback: fluoxetine 20 mg
  63. Pingback: prozac generic
  64. Pingback: bactrim ds
  65. Pingback: biaxin antibiotic
  66. Pingback: ceftin antibiotic
  67. Pingback: cephalexin 500mg
  68. Pingback: fluconazole 150 mg
  69. Pingback: levitra
  70. Pingback: cefdinir 300 mg
  71. Pingback: bactrim antibiotic
  72. Pingback: natural viagra
  73. Pingback: viagra on line
  74. Pingback: viagra for men
  75. Pingback: viagra for women
  76. Pingback: cialis generico
  77. Pingback: cialis generika
  78. Pingback: tadalafila
  79. Pingback: amitriptyline l
  80. Pingback: Viagra 5mg
  81. Pingback: Viagra canada
  82. Pingback: Viagra 20 mg
  83. Pingback: Generic viagra
  84. Pingback: cialis cost
  85. Pingback: cialis cooupons
  86. Pingback: cialis free trial
  87. Pingback: Cialis 20 mg
  88. Pingback: atorvastatin
  89. Pingback: cymbalta
  90. Pingback: levitra generic
  91. Pingback: atorvastatin 10 mg
  92. Pingback: cymbalta dosage
  93. Pingback: atorvastatin 10mg
  94. Pingback: cymbalta for pain
  95. Pingback: levitra 20 mg
  96. Pingback: cymbalta generic
  97. Pingback: levitra coupon
  98. Pingback: levitra dosage
  99. Pingback: cymbalta reviews
  100. Pingback: levitra vs viagra
  101. Pingback: vardenafil
  102. Pingback: duloxetine
  103. Pingback: vardenafil 20 mg
  104. Pingback: duloxetine 20 mg
  105. Pingback: vardenafil 20mg
  106. Pingback: duloxetine hcl
  107. Pingback: duloxetine 60 mg
  108. Pingback: augmentin
  109. Pingback: levaquin
  110. Pingback: augmentin 875
  111. Pingback: buy levitra
  112. Pingback: levaquin 500 mg
  113. Pingback: buy viagra
  114. Pingback: augmentin 875 mg
  115. Pingback: levaquin 750 mg
  116. Pingback: cheap levitra
  117. Pingback: buy levitra online
  118. Pingback: generic levitra
  119. Pingback: levaquin dosage
  120. Pingback: augmentin dosage
  121. Pingback: levaquin for uti
  122. Pingback: augmentin dose
  123. Pingback: levaquin lawsuit
  124. Pingback: augmentin for dogs
  125. Pingback: levitra 20mg
  126. Pingback: levitra cost
  127. Pingback: levaquin uses
  128. Pingback: augmentin uses
  129. Pingback: what is levaquin
  130. Pingback: levitra online
  131. Pingback: what is augmentin
  132. Pingback: levitra prices
  133. Pingback: cialis pharmacy
  134. Pingback: levitra recviews
  135. Pingback: levitra vs cialis

Leave a Reply