I had one other quick question about this. I've copied the strict copp policy and made it a lot more specific (like /32s are allowed to connect to certain services).
When I do a port scan of the switch it is still showing SSH (albeit closed), https, and BGP as being open. I am assuming I am just doing something wrong but if you port scan your devices do those ports show as being open? -----Original Message----- From: cisco-nsp <[email protected]> On Behalf Of Paul Sent: Sunday, January 24, 2021 2:54 AM To: '[email protected]' <[email protected]> Subject: Re: [c-nsp] Converting policy-map from IOS to NXOS no "conform drop" Depending on what ASIC is it, you simply set it to police 0 pps, no other way around it. Same deal with LPTS on XR platform. On 1/22/2021 8:07 AM, Drew Weaver wrote: > Hello, > > Sorry to bother you all, this should be my last question regarding NXOS. > > I'm converting some CoPP configuration from IOS to NXOS. > > Specifically in IOS 15 we have an explicit deny specified like this: > > class-map match-all CoPP4-DROP > match access-group name CoPP4_DROP > class CoPP4-DROP > police 32000 1500 1500 conform-action drop exceed-action drop > ip access-list extended CoPP4_DROP > remark CoPP entry to deny all other traffic permit ip any any > > in NXOS there does not appear to be any way to drop all traffic > defined in a class entry. (i.e. conform drop) > > I opened a ticket with TAC and they indicated that a bug (CSCut8113) was > created for this but the developers ignored it without commenting. > > Is there no need to drop traffic that isn't specifically permitted in NXOS? > The TAC technician just told me that I would just have to allow the minimum > amount of traffic, which seems to defeat the entire purpose. > > As always thank you, > -Drew > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m > ailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A > _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCH > GfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=k30HHAtwdCv5fndLRtkHwmGerPVzNub1R > mVACVGjekM&e= archive at > https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi > permail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV > fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bN > W8BlQt7lCDY8HVuAecFkv54MSm0&s=OlUAHB8oR1JQmyVFZFfLtaO4slpPt9YzttnDiM7j > rew&e= _______________________________________________ cisco-nsp mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=k30HHAtwdCv5fndLRtkHwmGerPVzNub1RmVACVGjekM&e= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=mTMVmoJCHGfFz8bNW8BlQt7lCDY8HVuAecFkv54MSm0&s=OlUAHB8oR1JQmyVFZFfLtaO4slpPt9YzttnDiM7jrew&e= _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
