Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
61626364656667686970
64
OL-11615-01
At this point, you might decide to remove the class-map and ACL used for the classification of default
traffic. If so, you should also replace the previously defined policy for the default class by the
class-default policy.
Sample CoPP Configuration
The following example shows how to develop a CoPP policy and how to apply it in order to protect the
control plane of a Catalyst 6500 Series switch.
In this example, the control plane traffic is classified based on relative importance and traffic type. Eight
classes are defined, each of which is associated with a separate extended ACL:
BGP (coppacl-bgp): BGP traffic
IGP (coppacl-igp): OSPF traffic
Interactive management (coppacl-interactivemanagement): remote access and management traffic
such as TACACS, SSH, SNMP, and NTP.
File management (coppacl-filemanagement): remote file transfer traffic such as TFTP and FTP.
Monitoring (coppacl-monitoring): ICMP and traceroute traffic
Critical applications (coppacl-critical-app): HSRP and DHCP traffic
Undesirable traffic (coppacl-undesirable): explicitly denies unwanted traffic (for example, Slammer
worm packets)
Default (no ACL needed): all IP and non-IP traffic received by the control plane that has not been
otherwise identified.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Sample basic ACLs for CoPP classification
!
! In this example, BGP is used and must be classified
ip access-list extended coppacl-bgp
remark BGP traffic class
! allow BGP from a known peer to this router's BGP TCP port
permit tcp host 192.168.1.1 host 10.1.1.1 eq bgp
! allow BGP from a peer's BGP port to this router
permit tcp host 192.168.1.1 eq bgp host 10.1.1.1
!
! For your IGP class, OSPF is the IGP used in this example
ip access-list extended coppacl-igp
remark IGP traffic class
! permit OSPF
permit ospf any host 224.0.0.5
permit ospf any host 224.0.0.6
permit ospf any any
!
! The Interactive Management class is for traffic that is required
! for accessing and managing the system, in this example, TACACS,
! ssh, snmp, and ntp is classified in this class
ip access-list extended coppacl-interactivemanagement
remark CoPP interactive management traffic class
! permit return traffic from TACACS host
permit tcp host 10.2.1.1 host 10.1.1.1 established
! ssh access to the router from a subnet
permit tcp 10.2.1.0 0.0.0.255 host 10.1.1.1 eq 22
! SNMP access from the NMS host to the router
permit udp host 10.2.2.2 host 10.1.1.1 eq snmp