I am trying to understand how CoPP works on a single L3 switch that is configured for inter vlan routing and as the RP for our pim sparse-mode set up (between 2 VLANs only). There is no connection to an external network and there is no other routing device.
When configuring CoPP (CoPP_CRITICAL), do I need to allow PIM or IGMP traffic at all? If I leave it out, should I expect any issues with devices creating and joining multicast groups?
Is there anything else I should add to these statements? If the only connections I expect to utilize are SSH, TFTP and HTTPS are the below rule sets sufficient? I am using STIGs and best practices from the Cisco site to configure these, just want to ensure I do not cause any unintentional issues.
ip pim rp-address 10.1.15.254
ip pim spt-threshold infinity
Vlan 200
10.200.7.254 0.0.248.255
no ip redirects
no ip unreachables
no ip proxy-arp
Vlan 201
10.200.15.254 0.0.248.255
ip pim sparse-mode
no ip redirects
no ip unreachables
no ip proxy-arp
Vlan 202
10.200.23.254 0.0.248.255
ip pim sparse-mode
no ip redirects
no ip unreachables
no ip proxy-arp
Vlan 204
Description MGMT VLAN
10.200.29.254 0.0.254.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-list extended CoPP_CRITICAL
remark permitted control plane traffic
permit pim host 10.200.15.254 any
permit igmp any 224.0.0.0 15.255.255.255
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp 10.200.28.0 0.0.254.255 any eq 22
permit udp 10.200.28.0 0.0.254.255 any eq 69
permit tcp 10.200.28.0 0.0.254.255 eq 443
permit udp any host 10.200.7.254 eq ntp
permit udp host 10.200.31.253 host 10.200.29.254 eq ntp
deny ip any any
ip access-list extended CoPP_NORMAL
remark rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_UNDESIRABLE
remark restrict other management plane traffic that should not be received
permit udp any any eq snmp
permit tcp any any eq 23
remark restrict fragments
permit icmp any any fragments
permit udp any any fragments
permit tcp any any fragments
permit ip any any fragments
remark restrict control plane traffic not configured on switch
permit ospf any any
permit eigrp any any
permit tcp any any eq bgp
permit udp any any eq rip
deny ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
exit
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop
control-plane
service-policy input CONTROL_PLANE_POLICY