Take a look at the release note of the CSCsb96106 on CCO which offers good config. info. Also, you need to have 'mls qos protocol isis pass-through' global command. http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp 1014614
Hope it helps. /Shankar -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederic LOUI Sent: Friday, September 19, 2008 7:38 AM To: Justin Shore Cc: cisco-nsp Subject: Re: [c-nsp] ISIS and CoPP on 760X Hi, > My understanding is that you have to use class-default to match IS-IS > and a bunch of other things. The Press book "Router Security In terms of security, I prefer to have a strict policy so that in class-default section, I'd rather drop everything that "I'm not aware of". > Strategies" has a good amount of info on CoPP, complete with sample config. I'll try to have a quick look. The cornerstone for me is to identify if "match protocol clns|clns_is|clns_es" is available and can be applied on 760X using 122-33SRC1 so that I can match ISIS pack in my "IGP class" and finally drop/apply low rate to everything in "class-default" Thanks anyway for your pointer. Bgrds/Frederic > > Justin > > Frederic LOUI wrote: >> >> Hi all, >> >> We're currently using Receive-ACL(s) in order to protect as much as >> possible, ingress traffic coming to any router's interface. Actually, >> this is possible on 12K IOS 12.0(32)S8. >> >> As far as I can see in CCO documentation, there is no equivalent to >> receive-acl for 760X... In terms of "Control Plane Protection", it >> seems that CoPP is the way to go ... >> >> In all kind of documentation it is easy to match ospf packet type >> through ACL or the "match protocol ospf" statement. However, I'm >> wondering how to match ISIS packet. (rACL do not filter ISIS packet) >> >> There are several available commands under class-map statement: >> "match protocol clns" >> "match protocol clns_is" >> "match protocol clns_es" >> >> But because of various reasons I can't test these commands. >> (I don't have a 760x test box yet ... ;-) ) >> >> Anyone had any experience with CoPP and ISIS on 760x box ? (Target IOS >> is 122-33.SRC1) >> >> I've seen in the forum's archive that this issue has already >> discussed, but the conclusion is a bit outdated. (Maybe the platform >> has considerably evolved ?? Apology if the question is obvious...) on >> >> Anyway, >> Thanks all in advance for your help, >> >> Bgrds/Frederic >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
