I have a discussion with a customer that has made me question my own understanding of control plane policing.
They noticed that, although they could use copp in older IOS routers to restrict access to the inband management plane to a specific host or subset of hosts, they cannot do the same for the OOB intf of a more modern L3 switch, running IOSXE. On the same switch, it works fine on an inband mgmt SVI.
They are using a config template that looks like this:
a) Mgmt access via SVI
interface Vlan123 description mgmt SVI ip address 220.127.116.11 255.255.255.0
The are saying that although the first scenario works (meaning: only hosts in ACL 121, in this case only host 18.104.22.168, can reach the mgmt plane and udp traffic is policed to 1Mbps) the second scenario does not; because even in the absence of an ACL entry, host 22.214.171.124 can reach the device or send as much traffic volume as it wants - it is not policed.
Also, in the case of the SVI, if the host is removed from the ACL, it is completely blocked from accessing the device - making the difference between SVI and OOB even more apparent.
But, what i don't understand is why, in their template, a host that is not in the ACL permit entries is blocked from accessing the SVI (this behavior is probably what led them to believe that CoPP can be used for access restriction). Is there some equivalent to implicit deny at work here? Why would a CoPP config, that does only policing and doesnt contain an explicit drop statement, deny a host from using a protocol?
On July 16 2020, the U.K. National Cyber Security Centre and Canada’s Communication Security Establishment, in cooperation with the U.S. National Security Agency and Cybersecurity and Infrastructure Security agency, issued an advisory [...
User Experience Enhancements
As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment across all Cisco security products.
Cognitive Alert Fusion Early A...
If you or your customers have experience with segmentation policy functions and decisions, we would be very grateful if you could respond to this survey. Your feedback will help us to improve segmentation policy products for you and your customers.Fo...
For now FMC has generate report option available on UI which provides report in PDF format. CSV report is still a limitation.
Anupam and I have created a script which let you for export the enabled intrusion SIDs fr...
The AdvisoryThe HuntThe QueriesThe Links
Configuring 3rd Party Modules for SecureX Integrations
This steps explains some easy steps to configure, upload and integrate 3rd Party enrichment modules. There are just some simple steps to do. ...