6

I have a N5K-5672UP with enterprise license and I execute these commands to protect my control plane :

control-plane
service-policy input copp-system-policy-default

There is 2 issues:

  1. When I execute show run copp it does not show anything and even when I check whole of the show run with my eyes there is no copp config.
  2. when I send TCP syn attack towards my control plane my CPU usages is around %20-30 but my bgp session goes down and I can enter command slowly, whats wrong?

here is show copp status output: show copp status

Last Config Operation: service-policy input copp-system-policy-default
Last Config Operation Timestamp: 08:51:29 GMT Nov 21 2021
Last Config Operation Status: Success
Policy-map attached to the control-plane: copp-system-policy-default

Thank you.

Tom Newton
  • 23
  • 5
Blackmetal
  • 785
  • 4
  • 20

1 Answers1

0

According to https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1_chapter_01101.html#con_1085200

Default policy applies the following policer configuration:

policy-map type control-plane copp-system-policy-default
    class copp-system-class-igmp
      police cir 1024 kbps bc 65535 bytes 
    class copp-system-class-pim-hello
      police cir 1024 kbps bc 4800000 bytes 
    class copp-system-class-bridging
      police cir 20000 kbps bc 4800000 bytes 
    class copp-system-class-arp
      police cir 1024 kbps bc 3600000 bytes 
    class copp-system-class-dhcp
      police cir 1024 kbps bc 4800000 bytes 
    class copp-system-class-mgmt
      police cir 12000 kbps bc 4800000 bytes 
    class copp-system-class-lacp
      police cir 1024 kbps bc 4800000 bytes 
    class copp-system-class-lldp
      police cir 2048 kbps bc 4800000 bytes 
    class copp-system-class-udld
      police cir 2048 kbps bc 4800000 bytes 
    class copp-system-class-isis
      police cir 1024 kbps bc 4800000 bytes 
    class copp-system-class-msdp
      police cir 9600 kbps bc 4800000 bytes 
    class copp-system-class-cdp
      police cir 1024 kbps bc 4800000 bytes 
    class copp-system-class-fip
      police cir 1024 kbps bc 4800000 bytes 
    class copp-system-class-bgp
      police cir 9600 kbps bc 4800000 bytes 
    class copp-system-class-eigrp
      police cir 9600 kbps bc 4800000 bytes 
    class copp-system-class-exception
      police cir 64 kbps bc 4800000 bytes 
    class copp-system-class-glean
      police cir 1024 kbps bc 4800000 bytes 
    class copp-system-class-hsrp-vrrp
      police cir 1024 kbps bc 256000 bytes 
    class copp-system-class-icmp-echo
      police cir 64 kbps bc 3600000 bytes 
    class copp-system-class-ospf
      police cir 9600 kbps bc 4800000 bytes 
    class copp-system-class-pim-register
      police cir 9600 kbps bc 4800000 bytes 
    class copp-system-class-rip
      police cir 9600 kbps bc 4800000 bytes 
    class copp-system-class-l3dest-miss
      police cir 64 kbps bc 256000 bytes 
    class copp-system-class-mcast-miss
      police cir 256 kbps bc 3200000 bytes 
    class copp-system-class-excp-ip-frag
      police cir 64 kbps bc 3200000 bytes 
    class copp-system-class-excp-same-if
      police cir 64 kbps bc 3200000 bytes 
    class copp-system-class-excp-ttl
      police cir 64 kbps bc 3200000 bytes 
    class copp-system-class-default
      police cir 512 kbps bc 6400000 bytes

So, if I understood your PCAP correctly, you simulate HTTP traffic - which is not part of this policy.

Maybe you should configure a custom policy that applies policing to TCP traffic in general. If that is what you want.

And I think that you don't see it in configuration because it is the default policy.

manish ma
  • 1,760
  • 10
  • 16