10-31-2021 03:22 AM
Hello,I have one N5K-5672UP and a few SVIs with IPv4/IPv6 public IPs, I want to have an ACL and apply that ACL to my UPLINKs and deny internet traffic towards SVIs, my question is when i do this then ACL is working before CoPP? my mean is how does packet flow work in this switch, when the packet enters the switch it will check ACL, and if i denied that in the ACL then it will not check that in CoPP? (assume that traffic is towards the control plane and not the data plane)
Thanks,
10-31-2021 02:43 PM - edited 10-31-2021 02:45 PM
CoPP has no bearing on traffic going THROUGH the switch (transit traffic).
CoPP only polices traffic that is being sent TO an IP owned by the switch itself.
Different types of packets can reach the control plane:
Receive packets
Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router.
Exception packets
Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set.
Redirected packets
Packets that are redirected to the supervisor module. Features such as Dynamic Host Configuration Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.
Glean packets
If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.
11-01-2021 12:31 AM
Hello,
if you check my first post i mentioned that my mean is traffics towards control plane not data plane (through the switch).
if there is a traffic towards control plane (that ip owned by switch) when i drop that traffic by acl then it will not check that traffic in CoPP ?
i want to drop BGP and many other TCP ports in ACL so iw ant to check ACL will check before CopP rules or after CoPP rules?
11-01-2021 01:15 AM - edited 11-01-2021 04:24 AM
I searched for an official N5K document but did not find one,
What I did find is a document describing access-list and Control Plane Policing Mechanism on Each IP Network Traffic Plane.
interface ACL can restrict all of these traffic forms on ingress before reaching COPP.:
https://tools.cisco.com/security/center/resources/copp_best_practices
In the following article, we see that ACL is treated before COPP in NX-OS as well
https://www.ajsnetworking.com/cisco-nexus-functional-planes/
Hope I helped
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: