NEXUS CoPP Configuration

The controlling of management access on the Nexus 7000 is very different than other Cisco routers and switches. The VTY lines are pretty much gone. There is a single VTY and the only configurable option is the idle timeout. Management access is controlled through the management interface (mgmt 0) which is associated to the vrf called management. This vrf is configured by default on all VDC’s as well as the management or root context. The management interface in each VDC is a logical interface that is tied to the physical interface on the supervisor. That’s right all mgmt 0 interfaces are part of the management vrf and all connectivity for that vrf goes through the Supervisors management port. As an FYI, all management IP’s have the same MAC as the physical interface.


The next management feature is controlling access to the control plane. For example we want to block management access to the layer 3 ports for increased security. We will allow management protocols to the management interface so we can still access the switch. By default the Nexus 7000 comes with a CoPP policy, but it allows too many protocols and insecure protocols, so we’ll write our own. Here’s an example.
This first ACL will block all the traffic we don’t explicitly allow in our other ACLs. Notice it is a permit. We must permit the traffic so we can drop in our class map.
ip access-list copp-system-acl-deny
 10 remark Deny ALL traffic that is not explicity permitted
 20 permit ip any any
In this ACL we will allow EIGRP so the routing protocol can establish adjacencies.
ip access-list copp-system-acl-eigrp
 10 permit eigrp any any
Here we allow the redundant gateway protocols (GLBP & HSRP)
ip access-list copp-system-acl-glbp
 10 permit udp any eq 3222 eq 3222
ip access-list copp-system-acl-hsrp
 10 permit udp any eq 1985
Next we all ICMP echo and echo reply so we can ping the interface during troubleshooting
ip access-list copp-system-acl-icmp
 10 permit icmp any any echo
 20 permit icmp any any echo-reply
Here we allow PIM since we have multicast on the network
ip access-list copp-system-acl-pim
 10 permit pim any
 20 permit udp any any eq pim-auto-rp
 30 permit ahp any
ip access-list copp-system-acl-pim-reg
 10 permit pim any any
Finally, an ACL for traceroute
ip access-list copp-system-acl-traceroute
 10 permit icmp any any ttl-exceeded
 20 permit icmp any any port-unreachable
Next are the class maps which reference the ACLs above
This class map has the critical applications like our routing protocol
class-map type control-plane match-any copp-system-class-critical
 match access-group name copp-system-acl-eigrp
 match access-group name copp-system-acl-pim
This is a class that polices things we don’t normally see. We allow just in case, but police it so it doesn’t get out of control
class-map type control-plane match-any copp-system-class-exception
 match exception ip option
 match exception ip icmp unreachable
Here’s a class map for the second most important items. As you can see this covers GLBP & HSRP
class-map type control-plane match-any copp-system-class-important
 match access-group name copp-system-acl-glbp
 match access-group name copp-system-acl-hsrp
 match access-group name copp-system-acl-pim-reg
Here is our deny policy map. It refers to the permit ip any any ACL above. In the next session we’ll see how we drop the traffic
class-map type control-plane match-any copp-system-class-management-deny
 match access-group name copp-system-acl-deny
This is for our troubleshooting protocols
class-map type control-plane match-any copp-system-class-monitoring
 match access-group name copp-system-acl-icmp
 match access-group name copp-system-acl-traceroute
The next two are for other protocols that need a general policy
class-map type control-plane match-any copp-system-class-normal
 match protocol arp
class-map type control-plane match-any copp-system-class-redirect
 match redirect arp-inspect
Finally we create our policy map. The policy map consists of the class maps we created above. Under the global policy we have each of the class maps and we associate a policy, like policing or dropping, to each.
policy-map type control-plane copp-system-policy
The first one is our critical class map. Here we give the class map the bandwidth of 39600 kbps and a burst of 250. Anything above that and the traffic is violated and dropped. The rest are of the same principle
 class copp-system-class-critical
  police cir 39600 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-important
  police cir 1060 kbps bc 1000 ms conform transmit violate drop
 class copp-system-class-normal
  police cir 680 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-redirect
  police cir 280 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-monitoring
  police cir 130 kbps bc 1000 ms conform transmit violate drop
 class copp-system-class-exception
  police cir 360 kbps bc 250 ms conform transmit violate drop
Here is our special drop policy. If you read it carefully you will see that any traffic that conforms to the policy will be dropped! All violated traffic will also be dropped! Referring back to the ACL it was a permit ip any.
 class copp-system-class-management-deny
  police cir 60000 kbps bc 250 ms conform drop violate drop
 class class-default
  police cir 100 kbps bc 250 ms conform transmit violate drop
The last thing to do is apply our policy map to the control plane
 service-policy input copp-system-policy