Default Policing Policies - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Configuring Control Plane Policing
Default Policing Policies
When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default
copp-system-p-policy-strict policy to protect the supervisor module from DoS attacks. You can set the level
of protection by choosing one of the following CoPP policy options from the initial setup utility:
• Strict—This policy is 1 rate and 2 color.
• Moderate—This policy is 1 rate and 2 color. The important class burst size is greater than the strict policy
• Lenient—This policy is 1 rate and 2 color. The important class burst size is greater than the moderate
• Dense—This policy is 1 rate and 2 color. The policer CIR values are less than the strict policy.
• Skip—No control plane policy is applied. (Cisco does not recommend using the Skip option because it
If you do not select an option or choose not to execute the setup utility, the software applies strict policing.
We recommend that you start with the strict policy and later modify the CoPP policies as required.
Note
Strict policing is not applied by default when using POAP, so you must configure a CoPP policy.
The copp-system-p-policy policy has optimized values suitable for basic device operations. You must add
specific class and access-control list (ACL) rules that meet your DoS protection requirements. The default
CoPP policy does not change when you upgrade the software.
Caution
Selecting the skip option and not subsequently configuring CoPP protection can leave your Cisco NX-OS
device vulnerable to DoS attacks.
You can reassign the CoPP default policy by entering the setup utility again using the setup command from
the CLI prompt or by using the copp profile command.
Related Topics
Default Class Maps
The copp-system-class-critical class has the following configuration:
class-map type control-plane match-any copp-system-p-class-critical
but less than the lenient policy.
policy but less than the dense policy.
will impact the control plane of the network.)
Changing or Reapplying the Default CoPP
match access-group name copp-system-p-acl-bgp
match access-group name copp-system-p-acl-rip
match access-group name copp-system-p-acl-vpc
match access-group name copp-system-p-acl-bgp6
match access-group name copp-system-p-acl-ospf
match access-group name copp-system-p-acl-rip6
match access-group name copp-system-p-acl-eigrp
match access-group name copp-system-p-acl-ospf6
match access-group name copp-system-p-acl-eigrp6
match access-group name copp-system-p-acl-auto-rp
match access-group name copp-system-p-acl-mac-l3-isis
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Policy, on page 479
Default Policing Policies
457
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
