Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
0
Replies

CoPP on a single L3 switch

J_Rega
Level 1
Level 1

‎04-27-2020 07:44 AM

I am trying to understand how CoPP works on a single L3 switch that is configured for inter vlan routing and as the RP for our pim sparse-mode set up (between 2 VLANs only). There is no connection to an external network and there is no other routing device.

 

When configuring CoPP (CoPP_CRITICAL), do I need to allow PIM or IGMP traffic at all? If I leave it out, should I expect any issues with devices creating and joining multicast groups?

 

Is there anything else I should add to these statements? If the only connections I expect to utilize are SSH, TFTP and HTTPS are the below rule sets sufficient? I am using STIGs and best practices from the Cisco site to configure these, just want to ensure I do not cause any unintentional issues.

 

ip pim rp-address 10.1.15.254
ip pim spt-threshold infinity

 

Vlan 200
10.200.7.254 0.0.248.255
no ip redirects
no ip unreachables
no ip proxy-arp

 

Vlan 201
10.200.15.254 0.0.248.255
ip pim sparse-mode
no ip redirects
no ip unreachables
no ip proxy-arp

 

Vlan 202
10.200.23.254 0.0.248.255
ip pim sparse-mode
no ip redirects
no ip unreachables
no ip proxy-arp

 

Vlan 204
Description MGMT VLAN
10.200.29.254 0.0.254.255
no ip redirects
no ip unreachables
no ip proxy-arp

 

ip access-list extended CoPP_CRITICAL
remark permitted control plane traffic 
permit pim host 10.200.15.254 any
permit igmp any 224.0.0.0 15.255.255.255
deny ip any any

ip access-list extended CoPP_IMPORTANT
permit tcp 10.200.28.0 0.0.254.255 any eq 22

permit udp 10.200.28.0 0.0.254.255 any eq 69

permit tcp 10.200.28.0 0.0.254.255 eq 443
permit udp any host 10.200.7.254 eq ntp
permit udp host 10.200.31.253 host 10.200.29.254 eq ntp
deny ip any any

ip access-list extended CoPP_NORMAL
remark rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any

ip access-list extended CoPP_UNDESIRABLE
remark restrict other management plane traffic that should not be received
permit udp any any eq snmp
permit tcp any any eq 23
remark restrict fragments 
permit icmp any any fragments
permit udp any any fragments
permit tcp any any fragments
permit ip any any fragments
remark restrict control plane traffic not configured on switch
permit ospf any any
permit eigrp any any
permit tcp any any eq bgp
permit udp any any eq rip
deny ip any any

ip access-list extended CoPP_DEFAULT
permit ip any any


class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
exit

policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop

 

control-plane
service-policy input CONTROL_PLANE_POLICY

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents