Just use
conform drop violate drop That's what we do. jeff Fitzwater EIS Network Systems & Monitoring Princeton University ________________________________ From: cisco-nsp <[email protected]> on behalf of Drew Weaver <[email protected]> Sent: Friday, January 22, 2021 8:07 AM To: '[email protected]' <[email protected]> Subject: [c-nsp] Converting policy-map from IOS to NXOS no "conform drop" Hello, Sorry to bother you all, this should be my last question regarding NXOS. I'm converting some CoPP configuration from IOS to NXOS. Specifically in IOS 15 we have an explicit deny specified like this: class-map match-all CoPP4-DROP match access-group name CoPP4_DROP class CoPP4-DROP police 32000 1500 1500 conform-action drop exceed-action drop ip access-list extended CoPP4_DROP remark CoPP entry to deny all other traffic permit ip any any in NXOS there does not appear to be any way to drop all traffic defined in a class entry. (i.e. conform drop) I opened a ticket with TAC and they indicated that a bug (CSCut8113) was created for this but the developers ignored it without commenting. Is there no need to drop traffic that isn't specifically permitted in NXOS? The TAC technician just told me that I would just have to allow the minimum amount of traffic, which seems to defeat the entire purpose. As always thank you, -Drew _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
