Note
|
The class maps provided here are for Cisco NX-OS Release 6.2(2). Some of the values might vary for previous releases.
|
The copp-system-class-exception class has the following configuration:
class-map type control-plane match-any copp-system-class-exception
match exception ip option
match exception ip icmp unreachable
match exception ipv6 option
match exception ipv6 icmp unreachable
The copp-system-class-critical class has the following configuration:
ip access-list copp-system-acl-igmp
permit igmp any 224.0.0.0/3
ip access-list copp-system-p-acl-lisp
permit udp any any eq 4342
ip access-list copp-system-acl-msdp
permit tcp any gt 1024 any eq 639
permit tcp any eq 639 any gt 1024
ip access-list copp-system-acl-bgp
permit tcp any gt 1024 any eq bgp
permit tcp any eq bgp any gt 1024
ip access-list copp-system-acl-eigrp
permit eigrp any any
ip access-list copp-system-p-acl-lisp6
permit udp any any eq 4342
ip access-list copp-system-acl-rip
permit udp any 224.0.0.0/24 eq rip
ip access-list copp-system-acl-ospf
permit ospf any any
ip access-list copp-system-acl-pim
permit pim any 224.0.0.0/24
ipv6 access-list copp-system-acl-bgp6
permit tcp any gt 1024 any eq bgp
permit tcp any eq bgp any gt 1024
ipv6 access-list copp-system-acl-ospf6
permit 89 any any
ipv6 access-list copp-system-acl-pim6
permit 103 any FF02::D/128
permit udp any any eq pim-auto-rp
ip access-list copp-system-acl-vpc
permit udp any any eq 3200
mac access-list copp-system-acl-mac-fabricpath-isis
permit any 0180.c200.0041 0000.0000.0000
mac access-list copp-system-p-acl-mac-l3-isis
permit any 0180.c200.0015 0000.0000.0000
permit any 0180.c200.0014.0000.0000.0000
class-map type control-plane match-any copp-system-class-critical
match access-group name copp-system-acl-bgp
match access-group name copp-system-acl-rip
match access-group name copp-system-acl-vpc
match access-group name copp-system-acl-bgp6
match access-group name copp-system-p-acl-lisp
match access-group name copp-system-acl-ospf
match access-group name copp-system-acl-eigrp
match access-group name copp-system-p-acl-lisp6
match access-group name copp-system-acl-ospf6
match access-group name copp-system-acl-eigrp6
match access-group name copp-system-p-acl-mac-l3-isis
Note
|
The LISP, LISP6, and MAC Layer 3 IS-IS ACLs were added in Cisco NX-OS Release 6.1.
|
The copp-system-class-important class has the following configuration:
ip access-list copp-system-p-acl-hsrp
permit udp any 224.0.0.2/32 eq 1985
permit udp any 224.0.0.102/32 eq 1985
Note
|
Beginning with Cisco NX-OS Release 6.2(2), the HSRP control packets use predefined destination addresses, as shown above.
In Cisco NX-OS releases prior to 6.2(2), the Hot Standby Router Protocol (HSRP) ACL has a lenient entry, with the last octet
ignored, as shown in the following configuration:
ip access-list copp-system-acl-hsrp
permit udp any 224.0.0.0/24 eq 1985
|
ip access-list copp-system-acl-vrrp
ip access-list copp-system-acl-glbp
permit udp any eq 3222 224.0.0.0/24 eq 3222
ip access-list copp-system-acl-pim-reg
permit pim any any
ipv6 access-list copp-system-acl-icmp6-msgs
permit icmp any any router-advertisement
permit icmp any any router-solicitation
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any mld-query
permit icmp any any mld-report
permit icmp any any mld-reduction
permit icmp any any 143
ip access-list copp-system-acl-cts
permit tcp any any eq 64999
permit tcp any eq 64999 any
ipv6 access-list copp-system-p-acl-vrrp6
permit ipv6 any ff02::12/128
ip access-list copp-system-acl-wccp
class-map type control-plane match-any copp-system-class-important
match access-group name copp-system-acl-cts
match access-group name copp-system-acl-glbp
match access-group name copp-system-acl-hsrp
match access-group name copp-system-acl-vrrp
match access-group name copp-system-acl-wccp
match access-group name copp-system-p-acl-vrrp6
Note
|
The "permit icmp any any 143" rule was added to the acl-icmp6-msgs ACL to support the MLDv2 report in Cisco NX-OS Release
6.1.
|
Note
|
The VRRP6 ACL was added in Cisco NX-OS Release 6.2(2).
|
Note
|
Beginning with Cisco NX-OS Release 6.2(2), the behavior of multicast traffic has changed from being policed at different rates
in different classes to being grouped into three classes (multicast-host, multicast-router, and normal) and policed at consistent
rates, depending on the type of multicast traffic, as follows:
|
ip access-list copp-system-p-acl-igmp
permit igmp any 224.0.0.0/3
ipv6 access-list copp-system-p-acl-mld
permit icmp any any mld-query
permit icmp any any mld-report
permit icmp any any mld-reduction
permit icmp any any 143
ip access-list copp-system-p-acl-msdp
permit tcp any gt 1024 any eq 639
permit tcp any eq 639 any gt 1024
ipv6 access-list copp-system-p-acl-ndp
permit icmp any any router-solicitation
permit icmp any any router-advertisement
permit icmp any any 137
permit icmp any any nd-ns
permit icmp any any nd-na
ip access-list copp-system-p-acl-pim
permit pim any 224.0.0.0/24
permit udp any any eq 496
permit ip any 224.0.0.13/32
ip access-list copp-system-p-acl-pim-mdt-join
permit udp any 224.0.0.13/32
ip access-list copp-system-p-acl-pim-reg
permit pim any any
ipv6 access-list copp-system-p-acl-pim6
permit pim any ff02::d/128
permit udp any any eq 496
ipv6 access-list copp-system-p-acl-pim6-reg
permit pim any any
mac access-list copp-system-p-acl-mac-dot1x
permit any 0180.c200.0003 0000.0000.0000 0x888e
class-map type control-plane match-any copp-system-p-class-multicast-host
match access-group name copp-system-p-acl-mld
match access-group name copp-system-p-acl-igmp
class-map type control-plane match-any copp-system-p-class-multicast-router
match access-group name copp-system-p-acl-pim
match access-group name copp-system-p-acl-msdp
match access-group name copp-system-p-acl-pim6
match access-group name copp-system-p-acl-pim-reg
match access-group name copp-system-p-acl-pim6-reg
match access-group name copp-system-p-acl-pim-mdt-join
class-map type control-plane match-any copp-system-p-class-ndp
match access-group name copp-system-p-acl-ndp
The copp-system-class-management class has the following configuration:
ip access-list copp-system-acl-tacacs
permit tcp any any eq tacacs
permit tcp any eq tacacs any
ip access-list copp-system-acl-radius
permit udp any any eq 1812
permit udp any any eq 1813
permit udp any any eq 1645
permit udp any any eq 1646
permit udp any eq 1812 any
permit udp any eq 1813 any
permit udp any eq 1645 any
permit udp any eq 1646 any
ip access-list copp-system-acl-ntp
permit udp any any eq ntp
ip access-list copp-system-acl-ftp
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any eq ftp-data any
permit tcp any eq ftp any
ip access-list copp-system-acl-tftp
permit udp any any eq tftp
permit udp any any eq 1758
permit udp any eq tftp any
permit udp any eq 1758 any
ip access-list copp-system-acl-sftp
permit tcp any any eq 115
permit tcp any eq 115 any
ip access-list copp-system-acl-ssh
permit tcp any any eq 22
permit tcp any eq 22 any
ip access-list copp-system-acl-snmp
permit udp any any eq snmp
permit udp any any eq snmptrap
ip access-list copp-system-acl-telnet
permit tcp any any eq telnet
permit tcp any any eq 107
permit tcp any eq telnet any
permit tcp any eq 107 any
ipv6 access-list copp-system-acl-tacacs6
permit tcp any any eq tacacs
permit tcp any eq tacacs any
ipv6 access-list copp-system-acl-radius6
permit udp any any eq 1812
permit udp any any eq 1813
permit udp any any eq 1645
permit udp any any eq 1646
permit udp any eq 1812 any
permit udp any eq 1813 any
permit udp any eq 1645 any
permit udp any eq 1646 any
ipv6 access-list copp-system-acl-ntp6
permit udp any any eq ntp
permit udp any eq ntp any
ipv6 access-list copp-system-acl-tftp6
permit udp any any eq tftp
permit udp any any eq 1758
permit udp any eq tftp any
permit udp any eq 1758 any
ipv6 access-list copp-system-acl-ssh6
permit tcp any any eq 22
permit tcp any eq 22 any
ipv6 access-list copp-system-acl-telnet6
permit tcp any any eq telnet
permit tcp any any eq 107
permit tcp any eq telnet any
permit tcp any eq 107 any
class-map type control-plane match-any copp-system-class-management
match access-group name copp-system-acl-tacacs
match access-group name copp-system-acl-radius
match access-group name copp-system-acl-ntp
match access-group name copp-system-acl-ftp
match access-group name copp-system-acl-tftp
match access-group name copp-system-acl-sftp
match access-group name copp-system-acl-ssh
match access-group name copp-system-acl-snmp
match access-group name copp-system-acl-telnet
match access-group name copp-system-acl-tacacs6
match access-group name copp-system-acl-radius6
match access-group name copp-system-acl-ntp6
match access-group name copp-system-acl-tftp6
match access-group name copp-system-acl-ssh6
match access-group name copp-system-acl-telnet6
The copp-system-class-normal class has the following configuration:
class-map type control-plane match-any copp-system-class-normal
match exception multicast directly-connected-sources
match protocol arp
The copp-system-class-redirect class has the following configuration:
class-map type control-plane match-any copp-system-class-redirect
match redirect arp-inspect
The copp-system-class-monitoring class has the following configuration:
ip access-list copp-system-acl-icmp
permit icmp any any echo
permit icmp any any echo-reply
ip access-list copp-system-acl-traceroute
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
ipv6 access-list copp-system-acl-icmp6
permit icmp any any echo-request
permit icmp any any echo-reply
class-map type control-plane match-any copp-system-class-monitoring
match access-group name copp-system-acl-icmp
match access-group name copp-system-acl-traceroute
match access-group name copp-system-acl-icmp6
mac access-list copp-system-p-acl-mac-l2-tunnel
permit any any 0x8840
match access-group name copp-system-p-acl-mac-l2-tunnel
Note
|
The MAC Layer 2 tunnel ACL was added in Cisco NX-OS Release 6.1.
|
The copp-system-class-fcoe class has the following configuration:
mac access-list copp-system-p-acl-mac-fcoe
permit any any 0x8906
permit any any 0x8914
class-map type control-plane match-any copp-system-p-class-fcoe
match access-group name copp-system-p-acl-mac-fcoe
Note
|
The copp-system-class-fcoe class was added in Cisco NX-OS Release 6.1.
|
The copp-system-class-undesirable class has the following configuration:
ip access-list copp-system-acl-undesirable
permit udp any any eq 1434
class-map type control-plane match-any copp-system-class-undesirable
match access-group name copp-system-acl-undesirable
match exception fcoe-fib-miss
Note
|
The fcoe-fib-miss match exception was added in Cisco NX-OS Release 6.1.
|
mac access-list copp-system-acl-mac-cdp-udld-vtp
permit any 0100.0ccc.cccc 0000.0000.0000
mac access-list copp-system-acl-mac-cfsoe
permit any 0180.c200.000e 0000.0000.0000 0x8843
mac access-list copp-system-acl-mac-dot1x
permit any 0180.c200.0003 0000.0000.0000 0x888e
mac access-list copp-system-acl-mac-flow-control
permit any 0180.c200.0001 0000.0000.0000 0x8808
mac access-list copp-system-acl-mac-l2mp-isis
permit any 0180.c200.0015 0000.0000.0000
permit any 0180.c200.0014 0000.0000.0000
mac access-list copp-system-acl-mac-l2pt
permit any 0100.0ccd.cdd0 0000.0000.0000
mac access-list copp-system-acl-mac-lacp
permit any 0180.c200.0002 0000.0000.0000 0x8809
mac access-list copp-system-acl-mac-lldp
permit any 0180.c200.000e 0000.0000.0000 0x88c
mac access-list copp-system-acl-mac-stp
permit any 0100.0ccc.cccd 0000.0000.0000
permit any 0180.c200.0000 0000.0000.0000
mac access-list copp-system-acl-mac-undesirable
permit any any