NEXUS CoPP Configuration

The controlling of management access on the Nexus 7000 is very different than other Cisco routers and switches. The VTY lines are pretty much gone. There is a single VTY and the only configurable option is the idle timeout. Management access is controlled through the management interface (mgmt 0) which is associated to the vrf called management. This vrf is configured by default on all VDC’s as well as the management or root context. The management interface in each VDC is a logical interface that is tied to the physical interface on the supervisor. That’s right all mgmt 0 interfaces are part of the management vrf and all connectivity for that vrf goes through the Supervisors management port. As an FYI, all management IP’s have the same MAC as the physical interface.

 

The next management feature is controlling access to the control plane. For example we want to block management access to the layer 3 ports for increased security. We will allow management protocols to the management interface so we can still access the switch. By default the Nexus 7000 comes with a CoPP policy, but it allows too many protocols and insecure protocols, so we’ll write our own. Here’s an example.
This first ACL will block all the traffic we don’t explicitly allow in our other ACLs. Notice it is a permit. We must permit the traffic so we can drop in our class map.
ip access-list copp-system-acl-deny
 10 remark Deny ALL traffic that is not explicity permitted
 20 permit ip any any
In this ACL we will allow EIGRP so the routing protocol can establish adjacencies.
ip access-list copp-system-acl-eigrp
 10 permit eigrp any any
Here we allow the redundant gateway protocols (GLBP & HSRP)
ip access-list copp-system-acl-glbp
 10 permit udp any eq 3222 224.0.0.0/24 eq 3222
ip access-list copp-system-acl-hsrp
 10 permit udp any 224.0.0.0/24 eq 1985
Next we all ICMP echo and echo reply so we can ping the interface during troubleshooting
ip access-list copp-system-acl-icmp
 10 permit icmp any any echo
 20 permit icmp any any echo-reply
Here we allow PIM since we have multicast on the network
ip access-list copp-system-acl-pim
 10 permit pim any 224.0.0.0/24
 20 permit udp any any eq pim-auto-rp
 30 permit ahp any 224.0.0.13/32
ip access-list copp-system-acl-pim-reg
 10 permit pim any any
Finally, an ACL for traceroute
ip access-list copp-system-acl-traceroute
 10 permit icmp any any ttl-exceeded
 20 permit icmp any any port-unreachable
Next are the class maps which reference the ACLs above
This class map has the critical applications like our routing protocol
class-map type control-plane match-any copp-system-class-critical
 match access-group name copp-system-acl-eigrp
 match access-group name copp-system-acl-pim
This is a class that polices things we don’t normally see. We allow just in case, but police it so it doesn’t get out of control
class-map type control-plane match-any copp-system-class-exception
 match exception ip option
 match exception ip icmp unreachable
Here’s a class map for the second most important items. As you can see this covers GLBP & HSRP
class-map type control-plane match-any copp-system-class-important
 match access-group name copp-system-acl-glbp
 match access-group name copp-system-acl-hsrp
 match access-group name copp-system-acl-pim-reg
Here is our deny policy map. It refers to the permit ip any any ACL above. In the next session we’ll see how we drop the traffic
class-map type control-plane match-any copp-system-class-management-deny
 match access-group name copp-system-acl-deny
This is for our troubleshooting protocols
class-map type control-plane match-any copp-system-class-monitoring
 match access-group name copp-system-acl-icmp
 match access-group name copp-system-acl-traceroute
The next two are for other protocols that need a general policy
class-map type control-plane match-any copp-system-class-normal
 match protocol arp
class-map type control-plane match-any copp-system-class-redirect
 match redirect arp-inspect
Finally we create our policy map. The policy map consists of the class maps we created above. Under the global policy we have each of the class maps and we associate a policy, like policing or dropping, to each.
policy-map type control-plane copp-system-policy
The first one is our critical class map. Here we give the class map the bandwidth of 39600 kbps and a burst of 250. Anything above that and the traffic is violated and dropped. The rest are of the same principle
 class copp-system-class-critical
  police cir 39600 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-important
  police cir 1060 kbps bc 1000 ms conform transmit violate drop
 class copp-system-class-normal
  police cir 680 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-redirect
  police cir 280 kbps bc 250 ms conform transmit violate drop
 class copp-system-class-monitoring
  police cir 130 kbps bc 1000 ms conform transmit violate drop
 class copp-system-class-exception
  police cir 360 kbps bc 250 ms conform transmit violate drop
Here is our special drop policy. If you read it carefully you will see that any traffic that conforms to the policy will be dropped! All violated traffic will also be dropped! Referring back to the ACL it was a permit ip any.
 class copp-system-class-management-deny
  police cir 60000 kbps bc 250 ms conform drop violate drop
 class class-default
  police cir 100 kbps bc 250 ms conform transmit violate drop
The last thing to do is apply our policy map to the control plane
control-plane
 service-policy input copp-system-policy

85 Comments on “NEXUS CoPP Configuration”

  1. Pingback: buy cialis
  2. Pingback: buy viagra
  3. Pingback: cialis
  4. Pingback: viagra
  5. Pingback: sildenafil 100mg
  6. Pingback: cialis generic
  7. Pingback: cialis coupon
  8. Pingback: cialis 20mg
  9. Pingback: generic cialis
  10. Pingback: cialis online
  11. Pingback: tadalafil 5mg
  12. Pingback: tadalafil 20mg
  13. Pingback: viagra tablets
  14. Pingback: sildenafil
  15. Pingback: tadalafil
  16. Pingback: cialis dosage
  17. Pingback: cialis prices
  18. Pingback: cialis tablets
  19. Pingback: viagra vs cialis
  20. Pingback: generic viagra
  21. Pingback: viagra connect
  22. Pingback: viagra natural
  23. Pingback: cialis vs viagra
  24. Pingback: tadalafil 20 mg
  25. Pingback: tadalafil generic
  26. Pingback: cialis 20 mg
  27. Pingback: cialis 5 mg
  28. Pingback: cialis pills
  29. Pingback: cheap cialis
  30. Pingback: cialis coupons
  31. Pingback: cialis canada
  32. Pingback: sildenafil citrate
  33. Pingback: viagra pills
  34. Pingback: viagra 100mg
  35. Pingback: viagra online
  36. Pingback: viagra prices
  37. Pingback: viagra generic
  38. Pingback: viagra coupons
  39. Pingback: cheap viagra
  40. Pingback: buy viagra online
  41. Pingback: viagra tablet
  42. Pingback: sildenafil 20 mg
  43. Pingback: sildenafil 100
  44. Pingback: buy biaxin
  45. Pingback: buy ceftin
  46. Pingback: buy chloromycetin
  47. Pingback: buy biaxin online
  48. Pingback: buy ceftin online
  49. Pingback: chloromycetin
  50. Pingback: buy cordarone
  51. Pingback: female viagra
  52. Pingback: sildenafil tablets
  53. Pingback: prednisone 20 mg
  54. Pingback: buy sildenafil
  55. Pingback: sildenafil generic
  56. Pingback: sildenafil 50 mg
  57. Pingback: sildenafil coupons
  58. Pingback: sildenafil 100 mg
  59. Pingback: buy cialis online
  60. Pingback: cialis tadalafil
  61. Pingback: free bitcoin cash
  62. Pingback: fluoxetine 20 mg
  63. Pingback: prozac generic
  64. Pingback: bactrim ds
  65. Pingback: biaxin antibiotic
  66. Pingback: ceftin antibiotic
  67. Pingback: cephalexin 500mg
  68. Pingback: fluconazole 150 mg
  69. Pingback: levitra
  70. Pingback: cefdinir 300 mg
  71. Pingback: bactrim antibiotic

Leave a Reply