cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
942
Views
0
Helpful
6
Replies

UCS6100 support of COPP

HUBERT RESCH
Participant
Participant

Does UCS have any configurable Control-Plane-Policing

COPP or any othe DOS features for the UCS6100 Control-Plane.

Thx

Hubert

1 Accepted Solution

Accepted Solutions

Yes, a policer is always in place.

Knowing that server ports only connect to servers helps too as we know what all control traffic is expected.

Yes, all mgmt traffic goes through mgmt port (physical wire i.e) but ip might differ as kvm ip's are natted through that interface.

Not tough to create acl rules given the udp/tcp port numbers.

--Manish

View solution in original post

6 Replies 6

Manish Tandon
Cisco Employee
Cisco Employee

Hubert

CoPP functionality is enabled by default but is not yet configurable/viewable.

Packets going to the SUP from the 10 GB ports are ACL protected and also rate limited.

--Manish

Hi Manish, is there a document where this is described , maybe with the

values for the limits?

If I understand correctly the is a default CoPP built in. does this alsi work for the Mgmt-Interface, for the case

the Mgmt IP ia attacked ?

Thx

Hubert

Hubert

Unfortunately we do not have a public document on the default CoPP functionality.

The CoPP is in place for traffic form 10 GB ports to the SUP only.

In EHM of operation, we do not process BPDU's etc and have very set rules for traffic handling to name a few.

For the external 1 gig mgmt port, you will need to protect it via a firewall or acls.

We do have a list of ports which are opened to come up with the firewall or acl config.

Hope it helps and apologize for the non availability of an external doc on this.

--Manish

Hi Manish,

-In EndHostMode its clear there should not come any Packets to the CPU ?

-In Switching Mode there are BPDUs ect rate-limited ?

Anyway because all Mgmt is running over the OOB-Mgmt-Port this should be the only Interface which could be attacked by Broadcasts, SYN ect., correct.

If an attacker can bring down the Management ist the Switch/Interconnect still forwarding traffic? Should be , because OOB-Management should be seperated from the Switch Control-Plane ?

Any comments on this ?

Thx

Hubert

Yes, a policer is always in place.

Knowing that server ports only connect to servers helps too as we know what all control traffic is expected.

Yes, all mgmt traffic goes through mgmt port (physical wire i.e) but ip might differ as kvm ip's are natted through that interface.

Not tough to create acl rules given the udp/tcp port numbers.

--Manish

Thx a lot

Hubert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: