Traffic Classification Guidelines; Sample Basic Acls For Copp Traffic Classification - Cisco 7604 Configuration Manual

Chapter 36 Configuring Denial of Service Protection
•
After you have classified the traffic, the ACLs build the classes of traffic that are used to define the
policies. For sample basic ACLs for CoPP classification, see the
Classification" section on page

Traffic Classification Guidelines

When defining traffic classification, follow these guidelines and restrictions:
•
•

Sample Basic ACLs for CoPP Traffic Classification

This section shows sample basic ACLs for CoPP classification. In the samples, the commonly required
traffic is identified with these ACLs:
•
•
•
•
•
This example shows how to define ACL 120 for critical traffic:
Router(config)# access-list 120 remark CoPP ACL for critical traffic
This example shows how to allow BGP from a known peer to this router's BGP TCP port:
Router(config)# access-list 120 permit tcp host 47.1.1.1 host 10.9.9.9 eq bgp
This example shows how to allow BGP from a peer's BGP port to this router:
Router(config)# access-list 120 permit tcp host 47.1.1.1 eq bgp host 10.9.9.9
Router(config)# access-list 120 permit tcp host 10.86.183.120 host 10.9.9.9 eq bgp
Router(config)# access-list 120 permit tcp host 10.86.183.120 eq bgp host 10.9.9.9
This example shows how to define ACL 121 for the important class:
Router(config)# access-list 121 remark CoPP Important traffic
This example shows how to permit return traffic from TACACS host:
Router(config)# access-list 121 permit tcp host 1.1.1.1 host 10.9.9.9 established
OL-4266-08
Default—All remaining traffic destined for the MSFC that has not been identified. MQC provides
the default class, so the user can specify the treatment to be applied to traffic not explicitly identified
in the other user-defined classes. This traffic has a highly reduced rate of access to the MSFC. With
a default classification in place, statistics can be monitored to determine the rate of otherwise
unidentified traffic destined for the control plane. After this traffic is identified, further analysis can
be performed to classify it and, if needed, the other CoPP policy entries can be updated to
accomodate this traffic.
Before you develop the actual CoPP policy, you must identify and separate the required traffic into
different classes. Traffic is grouped into nine classes that are based on relative importance. The
actual number of classes needed might differ and should be selected based on your local
requirements and security policies.
You do not have to define policies that match bidirectionally. You only need to identify traffic
unidirectionally (from the network to the MSFC) since the policy is applied on ingress only.
ACL 120—Critical traffic
ACL 121—Important traffic
ACL 122—Normal traffic
ACL 123—Explicitly denies unwanted traffic
ACL 124—All other traffic
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
36-33.
Defining Traffic Classification
"Sample Basic ACLs for CoPP Traffic
36-33