Mailing List Archive

Just use


conform drop violate drop

That's what we do.


jeff Fitzwater
EIS Network Systems & Monitoring
Princeton University
________________________________
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> on behalf of Drew Weaver <drew.weaver@thenap.com>
Sent: Friday, January 22, 2021 8:07 AM
To: 'cisco-nsp@puck.nether.net' <cisco-nsp@puck.nether.net>
Subject: [c-nsp] Converting policy-map from IOS to NXOS no "conform drop"

Hello,

Sorry to bother you all, this should be my last question regarding NXOS.

I'm converting some CoPP configuration from IOS to NXOS.

Specifically in IOS 15 we have an explicit deny specified like this:

class-map match-all CoPP4-DROP
match access-group name CoPP4_DROP
class CoPP4-DROP
police 32000 1500 1500 conform-action drop exceed-action drop
ip access-list extended CoPP4_DROP
remark CoPP entry to deny all other traffic
permit ip any any

in NXOS there does not appear to be any way to drop all traffic defined in a class entry. (i.e. conform drop)

I opened a ticket with TAC and they indicated that a bug (CSCut8113) was created for this but the developers ignored it without commenting.

Is there no need to drop traffic that isn't specifically permitted in NXOS? The TAC technician just told me that I would just have to allow the minimum amount of traffic, which seems to defeat the entire purpose.

As always thank you,
-Drew

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

In NXOS?

NexusLB(config)# policy-map type control-plane CoPP-Policy
class CoPP4-DROP
NexusLB(config-pmap)# class CoPP4-DROPdrop violate drop
NexusLB(config-pmap-c)# police cir 50 pps bc 16 packets conform drop violate drop
^
% Invalid parameter detected at '^' marker.
NexusLB(config-pmap-c)# police cir 50 pps bc 16 packets conform ?
transmit Transmit the packet

Nexus9508(config-pmap-c)# police cir 50 pps bc 16 packets conform

From: Jeffrey G. Fitzwater <jfitz@princeton.edu>
Sent: Friday, January 22, 2021 10:15 AM
To: Drew Weaver <drew.weaver@thenap.com>; 'cisco-nsp@puck.nether.net' <cisco-nsp@puck.nether.net>
Subject: Re: Converting policy-map from IOS to NXOS no "conform drop"

Just use


conform drop violate drop

That's what we do.


jeff Fitzwater
EIS Network Systems & Monitoring
Princeton University
________________________________
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net<mailto:cisco-nsp-bounces@puck.nether.net>> on behalf of Drew Weaver <drew.weaver@thenap.com<mailto:drew.weaver@thenap.com>>
Sent: Friday, January 22, 2021 8:07 AM
To: 'cisco-nsp@puck.nether.net' <cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>>
Subject: [c-nsp] Converting policy-map from IOS to NXOS no "conform drop"

Hello,

Sorry to bother you all, this should be my last question regarding NXOS.

I'm converting some CoPP configuration from IOS to NXOS.

Specifically in IOS 15 we have an explicit deny specified like this:

class-map match-all CoPP4-DROP
match access-group name CoPP4_DROP
class CoPP4-DROP
police 32000 1500 1500 conform-action drop exceed-action drop
ip access-list extended CoPP4_DROP
remark CoPP entry to deny all other traffic
permit ip any any

in NXOS there does not appear to be any way to drop all traffic defined in a class entry. (i.e. conform drop)

I opened a ticket with TAC and they indicated that a bug (CSCut8113) was created for this but the developers ignored it without commenting.

Is there no need to drop traffic that isn't specifically permitted in NXOS? The TAC technician just told me that I would just have to allow the minimum amount of traffic, which seems to defeat the entire purpose.

As always thank you,
-Drew

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp<https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwMFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=shW2q2Xhfd58GuttOBMF2AUbeWkF8LEcumlU9gpBONM&s=0gFYpsqivwUtEHs-7ol-48ttuLiR5CcDoB71GIrUgwA&e=>
archive at http://puck.nether.net/pipermail/cisco-nsp/<https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwMFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=shW2q2Xhfd58GuttOBMF2AUbeWkF8LEcumlU9gpBONM&s=mL-JzsFA_i5K64TMWmvabwgDaSCorM3toH0ccnklX9Y&e=>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Depending on what ASIC is it, you simply set it to police 0 pps, no
other way around it. Same deal with LPTS on XR platform.

On 1/22/2021 8:07 AM, Drew Weaver wrote:
> Hello,
>
> Sorry to bother you all, this should be my last question regarding NXOS.
>
> I'm converting some CoPP configuration from IOS to NXOS.
>
> Specifically in IOS 15 we have an explicit deny specified like this:
>
> class-map match-all CoPP4-DROP
> match access-group name CoPP4_DROP
> class CoPP4-DROP
> police 32000 1500 1500 conform-action drop exceed-action drop
> ip access-list extended CoPP4_DROP
> remark CoPP entry to deny all other traffic
> permit ip any any
>
> in NXOS there does not appear to be any way to drop all traffic defined in a class entry. (i.e. conform drop)
>
> I opened a ticket with TAC and they indicated that a bug (CSCut8113) was created for this but the developers ignored it without commenting.
>
> Is there no need to drop traffic that isn't specifically permitted in NXOS? The TAC technician just told me that I would just have to allow the minimum amount of traffic, which seems to defeat the entire purpose.
>
> As always thank you,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

I had one other quick question about this.

I've copied the strict copp policy and made it a lot more specific (like /32s are allowed to connect to certain services).

When I do a port scan of the switch it is still showing SSH (albeit closed), https, and BGP as being open.

I am assuming I am just doing something wrong but if you port scan your devices do those ports show as being open?

-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Paul
Sent: Sunday, January 24, 2021 2:54 AM
To: 'cisco-nsp@puck.nether.net' <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] Converting policy-map from IOS to NXOS no "conform drop"

Depending on what ASIC is it, you simply set it to police 0 pps, no other way around it. Same deal with LPTS on XR platform.

On 1/22/2021 8:07 AM, Drew Weaver wrote:
> Hello,
>
> Sorry to bother you all, this should be my last question regarding NXOS.
>
> I'm converting some CoPP configuration from IOS to NXOS.
>
> Specifically in IOS 15 we have an explicit deny specified like this:
>
> class-map match-all CoPP4-DROP
> match access-group name CoPP4_DROP
> class CoPP4-DROP
> police 32000 1500 1500 conform-action drop exceed-action drop
> ip access-list extended CoPP4_DROP
> remark CoPP entry to deny all other traffic permit ip any any
>
> in NXOS there does not appear to be any way to drop all traffic
> defined in a class entry. (i.e. conform drop)
>
> I opened a ticket with TAC and they indicated that a bug (CSCut8113) was created for this but the developers ignored it without commenting.
>
> Is there no need to drop traffic that isn't specifically permitted in NXOS? The TAC technician just told me that I would just have to allow the minimum amount of traffic, which seems to defeat the entire purpose.
>
> As always thank you,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCH
> GfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=k30HHAtwdCv5fndLRtkHwmGerPVzNub1R
> mVACVGjekM&e= archive at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
> fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bN
> W8BlQt7lCDY8HVuAecFkv54MSm0&s=OlUAHB8oR1JQmyVFZFfLtaO4slpPt9YzttnDiM7j
> rew&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=k30HHAtwdCv5fndLRtkHwmGerPVzNub1RmVACVGjekM&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=OlUAHB8oR1JQmyVFZFfLtaO4slpPt9YzttnDiM7jrew&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/