Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
3
Replies

N5K-5672UP acl order

blackmetal
Level 1
Level 1

‎10-31-2021 03:22 AM

Hello,I have one N5K-5672UP and a few SVIs with IPv4/IPv6 public IPs, I want to have an ACL and apply that ACL to my UPLINKs and deny internet traffic towards SVIs, my question is when i do this then ACL is working before CoPP? my mean is how does packet flow work in this switch, when the packet enters the switch it will check ACL, and if i denied that in the ACL then it will not check that in CoPP? (assume that traffic is towards the control plane and not the data plane)

Thanks,

Labels:
0 Helpful
3 Replies 3

pman
Spotlight
Spotlight

‎10-31-2021 02:43 PM - edited ‎10-31-2021 02:45 PM

CoPP has no bearing on traffic going THROUGH the switch (transit traffic).

CoPP only polices traffic that is being sent TO an IP owned by the switch itself.

 

Different types of packets can reach the control plane:

 

Receive packets

Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router.

Exception packets

Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set.

Redirected packets

Packets that are redirected to the supervisor module. Features such as Dynamic Host Configuration Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.

Glean packets

If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/security/7x/b_5600_Security_Config_7x/b_6k_Security_Config_7x_chapter_01011.html#con_1067877

0 Helpful

blackmetal
Level 1
Level 1

‎11-01-2021 12:31 AM

Hello,

if you check my first post i mentioned that my mean is traffics towards control plane not data plane (through the switch).

if there is a traffic towards control plane (that ip owned by switch) when i drop that traffic by acl then it will not check that traffic in CoPP ?

i want to drop BGP and many other TCP ports in ACL so iw ant to check ACL will check before CopP rules or after CoPP rules?

0 Helpful

pman
Spotlight
Spotlight

‎11-01-2021 01:15 AM - edited ‎11-01-2021 04:24 AM

I searched for an official N5K document but did not find one,

What I did find is a document describing access-list and Control Plane Policing Mechanism on Each IP Network Traffic Plane.

 

interface ACL can restrict all of these traffic forms on ingress before reaching COPP.:

Fig2-2_coppw.gif

 

 

https://tools.cisco.com/security/center/resources/copp_best_practices

 

In the following article, we see that ACL is treated before COPP in NX-OS as well
https://www.ajsnetworking.com/cisco-nexus-functional-planes/

 

Hope I helped

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card