CoPP Discard and Permit for Control Packets

You can use received ACL (RACL) policies to permit or deny unicast and multicast control packets that are destined to the local processor.

You can configure RACL entries with match criteria for packets and an action for discarding packets. RACL policies can permit or deny control packets and also count the number of packets hitting the policy.

The process for creating a RACL that allows or denies control packets is as follows:
  1. Create an IP access list (ACL).
  2. Bind the ACL to an IP Receive Access Group.

For more information about RACL, see Receive ACL Rate Limiting.

For more information about ACLs, see the Extreme SLX-OS Security Configuration Guide.

For more information about the commands in the following examples, see the Extreme SLX-OS Command Reference.

Examples for permitting and denying SSH flows (unicast)

This example creates an IPv4 ACL and binds it to a Receive Access Group. It allows all flows that match the originating subnet and discards the rest of the SSH flows.
ip access-list extended <name_ssh_flow> seq <num> permit tcp <ip network addr> 
<subnet mask> any eq 22 count

ip receive access-group <name_ssh_flow> sequence <num>
This example allows two subnets to send SSH packets to the local CPU, discards the rest of the flows, counts the number of discards, and binds the IPv4 ACL to a Receive Access Group. 
ip access-list extended ip-ssh
 seq 10 permit tcp 10.10.10.10 0.0.0.255 any eq 22 count
 seq 20 permit tcp 11.11.11.11 0.0.0.255 any eq 22 count
 seq 100 deny tcp any any eq 22 count

ip receive access-group ip-ssh sequence 10
This example creates an IPv6 ACL that allows two subnets to sent SSH packets, discards the rest of the flows, counts the number of discards, and binds the ACL to a Receive Access Group.
ipv6 access-list extended ipv6-ssh
 seq 10 permit tcp 2000::/32 any eq 22 count
 seq 20 permit tcp 2004::/32 any eq 22 count
 seq 100 deny tcp any any eq 22 count

ipv6 receive access-group ipv6-ssh sequence 10

Example for permitting and denying VRRP advertisement packets (multicast)

This example permits VRRP advertisement packets from a specific subnet, discards them from other IP addresses, counts the number of discards, and binds the ACL to a Receive Access Group. 
ip access-list extended ip-vrrp
 seq 10 permit 112 host 10.1.1.10 host 224.0.0.18 count
 seq 20 permit 112 7.7.7.7 0.0.0.255 host 224.0.0.18 count
 seq 100 deny 112 any host 224.0.0.18 count

ip receive access-group ip-vrrp sequence 20
Note

Note

CoPP for multicast flows does not support IPv6 control packets.

9036679-01 Rev AA