cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1107
Views
2
Helpful
14
Replies

IOS IPv6 CoPP

cardosocristian
Level 1
Level 1

I'm trying to configure IPv6 access for a BGP session and I want to control this through CoPP, to have more control plane security on my Cisco router with IOS, I did an initial configuration and it continues to accept connections from IPs that I didn't include in the ACL, follow my test:

 

ipv6 access-list eBGPv6
permit tcp host 2804:DB8:1000::1 eq bgp any
deny ipv6 any any
!

class-map match-all CONTROL-PLANE
match access-group name eBGPv6
!
policy-map COPP
class CONTROL-PLANE
police 8000 1500 conform-action transmit exceed-action drop


control-plane
service-policy input COPP

Does anyone happen to use CoPP and could help me?

1 Accepted Solution

Accepted Solutions

Hi @MHM Cisco World ,

ACLs can't be applied at the loopback interface level. This definitely needs to be done at the physical interface level.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

14 Replies 14

You control rate by CoPP for BGP

What you want to get form this CoPP

MHM

cardosocristian
Level 1
Level 1

The idea is to only release this IPv6 2804:DB8:1000::1 to connect to the BGP port of my router

Check below link

MHM

Hello,

I think in any case you need to apply the ACL to the neighbor as well:

neighbor <neighbor IPv6 address> filter-list  eBGPv6 in

cardosocristian
Level 1
Level 1

Is the idea to apply Control Plane Police to carry out these blockades or is that not what it is for?

You can apply ACL in interface but what if you have many interfaces 

So the solution is put it back and config CoPP in CPU. 

MHM

cardosocristian
Level 1
Level 1

I understood that, I just wanted to understand if my example there is correct or if anyone here has any considerations or configuration examples for me to test and evolve the configuration here, I even used the RFC example and I was unsuccessful.

Hi @cardosocristian ,

The behavior you are seeing is normal. The traffic that does match the class CONTROL-PLANE will be handle by the class default. You can see that using the "show policy-map control-plane" command.

BTW, CoPP is not the best way to block BGP sessions. I would definitely go with an ACL for that purpose.

Regards,

Regards, 

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

cardosocristian
Level 1
Level 1

I come from the Juniper world, where I can apply firewall filters, like acl's on the router's loopback that can filter source IP's for the services I want to allow access to, there is something similar in Cisco or the most common is to use ACL's on interfaces directly ?

Hi @cardosocristian ,

something similar in Cisco or the most common is to use ACL's on interfaces directly

Yes, configuring the ACL directly on the physical interface would be the recommend approach.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

I fast try use ACL under LO and it not work.

So for LO I think you have one option which is use CoPP

MHM

Hi @MHM Cisco World ,

ACLs can't be applied at the loopback interface level. This definitely needs to be done at the physical interface level.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Review Cisco Networking for a $25 gift card