(注) |
ここで提供されるクラス マップは Cisco NX-OS リリース 6.2(2) 向けです。値の一部は、以前のリリースによって異なる場合があります。
|
copp-system-class-exception クラスの設定は次のとおりです。
class-map type control-plane match-any copp-system-p-class-exception
match exception ip option
match exception ip icmp unreachable
match exception ipv6 option
match exception ipv6 icmp unreachable
copp-system-class-critical クラスの設定は次のとおりです。
ip access-list copp-system-p-acl-igmp
permit igmp any 224.0.0.0/3
ip access-list copp-system-p-acl-lisp
permit udp any any eq 4342
ip access-list copp-system-p-acl-msdp
permit tcp any gt 1024 any eq 639
permit tcp any eq 639 any gt 1024
ip access-list copp-system-p-acl-bgp
permit tcp any gt 1024 any eq bgp
permit tcp any eq bgp any gt 1024
ip access-list copp-system-p-acl-eigrp
permit eigrp any any
ip access-list copp-system-p-acl-lisp6
permit udp any any eq 4342
ip access-list copp-system-p-acl-rip
permit udp any 224.0.0.0/24 eq rip
ip access-list copp-system-p-acl-ospf
permit ospf any any
ip access-list copp-system-p-acl-pim
permit pim any 224.0.0.0/24
permit udp any any eq 496
permit ip any 224.0.0.13/32
ipv6 access-list copp-system-p-acl-bgp6
permit tcp any gt 1024 any eq bgp
permit tcp any eq bgp any gt 1024
ipv6 access-list copp-system-p-acl-ospf6
permit 89 any any
ipv6 access-list copp-system-p-acl-pim6
permit 103 any FF02::D/128
permit udp any any eq pim-auto-rp
ipv6 access-list copp-system-p-acl-rip6
permit udp any ff02::9/64 eq 521
ip access-list copp-system-p-acl-vpc
permit udp any any eq 3200
ip access-list copp-system-p-acl-mpls-ldp
permit udp any eq 646 any eq 646
permit tcp any any eq 646
permit tcp any eq 646 any
ip access-list copp-system-p-acl-mpls-oam
permit udp any eq 3503 any
ip access-list copp-system-p-acl-mpls-rsvp
permit 46 any any
ip access-list copp-system-p-acl-otv-as
permit udp any any eq 8472
mac access-list copp-system-p-acl-mac-l2pt
permit any 0100.0ccd.cdd0 0000.0000.0000
mac access-list copp-system-p-acl-mac-otv-isis
permit any 0100.0cdf.dfdf 0000.0000.0000
mac access-list copp-system-p-acl-mac-fabricpath-isis
permit any 0180.c200.0041 0000.0000.0000
mac access-list copp-system-p-acl-mac-l3-isis
permit any 0180.c200.0015 0000.0000.0000
permit any 0180.c200.0014.0000.0000.0000
class-map type control-plane match-any copp-system-p-class-critical
match access-group name copp-system-p-acl-bgp
match access-group name copp-system-p-acl-rip
match access-group name copp-system-p-acl-vpc
match access-group name copp-system-p-acl-bgp6
match access-group name copp-system-p-acl-lisp
match access-group name copp-system-p-acl-ospf
match access-group name copp-system-p-acl-rip6
match access-group name copp-system-p-acl-eigrp
match access-group name copp-system-p-acl-lisp6
match access-group name copp-system-p-acl-ospf6
match access-group name copp-system-p-acl-eigrp6
match access-group name copp-system-p-acl-otv-as
match access-group name copp-system-p-acl-mac-l2pt
match access-group name copp-system-p-acl-mpls-ldp
match access-group name copp-system-p-acl-mpls-oam
match access-group name copp-system-p-acl-mpls-rsvp
match access-group name copp-system-p-acl-mac-l3-isis
match access-group name copp-system-p-acl-mac-otv-isis
match access-group name copp-system-p-acl-mac-fabricpath-isis
match protocol mpls router-alert
match protocol mpls exp 6
(注) |
LISP、LISP6 および MAC レイヤ 3 IS-IS ACL が、Cisco NX-OS リリース 6.1 で追加されました。
|
copp-system-class-important クラスの設定は次のとおりです。
ip access-list copp-system-p-acl-hsrp
permit udp any 224.0.0.2/32 eq 1985
permit udp any 224.0.0.102/32 eq 1985
(注) |
Cisco NX-OS リリース 6.2(2) 以降では、HSRP 制御パケットは、前述のように、既定の宛先アドレスを使用します。6.2(2) 以前の Cisco NX-OS リリースでは、ホットスタンバイ ルータ プロトコル(HSRP)ACL には、次の設定に示すように、最後のオクテットが無視された lenient エントリがあります。
ip access-list copp-system-p-acl-hsrp
permit udp any 224.0.0.0/24 eq 1985
|
ipv6 access-list copp-system-p-acl-hsrp6
permit udp any ff02::66/128 eq 2029
ip access-list copp-system-p-acl-vrrp
permit ip any 224.0.0.18/32
ip access-list copp-system-p-acl-glbp
permit udp any eq 3222 224.0.0.0/24 eq 3222
ip access-list copp-system-p-acl-pim-reg
permit pim any any
ipv6 access-list copp-system-p-acl-icmp6-msgs
permit icmp any any router-advertisement
permit icmp any any router-solicitation
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any mld-query
permit icmp any any mld-report
permit icmp any any mld-reduction
permit icmp any any 143
ip access-list copp-system-p-acl-cts
permit tcp any any eq 64999
permit tcp any eq 64999 any
ip access-list copp-system-p-acl-pim-mdt-join
permit udp any 224.0.0.13/32
ipv6 access-list copp-system-p-acl-vrrp6
permit ipv6 any ff02::12/128
ip access-list copp-system-p-acl-wccp
permit udp any eq 2048 any eq 2048
mac access-list copp-system-p-acl-mac-lldp
permit any 0180.c200.000c 0000.0000.0000 0x88cc
mac access-list copp-system-p-acl-mac-flow-control
permit any 0180.c200.0001 0000.0000.0000 0x8808
class-map type control-plane match-any copp-system-p-class-important
match access-group name copp-system-p-acl-cts
match access-group name copp-system-p-acl-glbp
match access-group name copp-system-p-acl-hsrp
match access-group name copp-system-p-acl-vrrp
match access-group name copp-system-p-acl-wccp
match access-group name copp-system-p-acl-hsrp6
match access-group name copp-system-p-acl-vrrp6
match access-group name copp-system-p-acl-mac-lldp
match access-group name copp-system-p-acl-mac-flow-control
(注) |
「permit icmp any any 143」ルールが Cisco NX-OS リリース 6.1 の MLDv2 レポートをサポートするために acl-icmp6-msgs ACL に追加されました。
|
(注) |
VRRP6 ACL が Cisco NX-OS リリース 6.2(2) で追加されました。
|
(注) |
Cisco NX-OS リリース 6.2(2) 以降では、マルチキャスト トラフィックの動作が、異なるクラスにおいて異なるレートでポリシングされることから、次のようにマルチキャスト トラフィックのタイプによって 3 つのクラス(マルチキャスト ホスト、マルチキャスト ルータ、標準)にグループ化され、一定のレートでポリシングされるように変更されました。
|
ip access-list copp-system-p-acl-igmp
permit igmp any 224.0.0.0/3
ipv6 access-list copp-system-p-acl-mld
permit icmp any any mld-query
permit icmp any any mld-report
permit icmp any any mld-reduction
permit icmp any any 143
ip access-list copp-system-p-acl-msdp
permit tcp any gt 1024 any eq 639
permit tcp any eq 639 any gt 1024
ipv6 access-list copp-system-p-acl-ndp
permit icmp any any router-solicitation
permit icmp any any router-advertisement
permit icmp any any 137
permit icmp any any nd-ns
permit icmp any any nd-na
ip access-list copp-system-p-acl-pim
permit pim any 224.0.0.0/24
permit udp any any eq 496
permit ip any 224.0.0.13/32
ip access-list copp-system-p-acl-pim-mdt-join
permit udp any 224.0.0.13/32
ip access-list copp-system-p-acl-pim-reg
permit pim any any
ipv6 access-list copp-system-p-acl-pim6
permit pim any ff02::d/128
permit udp any any eq 496
ipv6 access-list copp-system-p-acl-pim6-reg
permit pim any any
mac access-list copp-system-p-acl-mac-dot1x
permit any 0180.c200.0003 0000.0000.0000 0x888e
class-map type control-plane match-any copp-system-p-class-multicast-host
match access-group name copp-system-p-acl-mld
match access-group name copp-system-p-acl-igmp
class-map type control-plane match-any copp-system-p-class-multicast-router
match access-group name copp-system-p-acl-pim
match access-group name copp-system-p-acl-msdp
match access-group name copp-system-p-acl-pim6
match access-group name copp-system-p-acl-pim-reg
match access-group name copp-system-p-acl-pim6-reg
match access-group name copp-system-p-acl-pim-mdt-join
class-map type control-plane match-any copp-system-p-class-ndp
match access-group name copp-system-p-acl-ndp
copp-system-class-management クラスの設定は次のとおりです。
ip access-list copp-system-p-acl-tacacs
permit tcp any any eq tacacs
permit tcp any eq tacacs any
ip access-list copp-system-p-acl-radius
permit udp any any eq 1812
permit udp any any eq 1813
permit udp any any eq 1645
permit udp any any eq 1646
permit udp any eq 1812 any
permit udp any eq 1813 any
permit udp any eq 1645 any
permit udp any eq 1646 any
ip access-list copp-system-p-acl-ntp
permit udp any any eq ntp
ip access-list copp-system-p-acl-ftp
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any eq ftp-data any
permit tcp any eq ftp any
ip access-list copp-system-p-acl-tftp
permit udp any any eq tftp
permit udp any any eq 1758
permit udp any eq tftp any
permit udp any eq 1758 any
ip access-list copp-system-p-acl-sftp
permit tcp any any eq 115
permit tcp any eq 115 any
ip access-list copp-system-p-acl-ssh
permit tcp any any eq 22
permit tcp any eq 22 any
ip access-list copp-system-p-acl-snmp
permit udp any any eq snmp
permit udp any any eq snmptrap
ip access-list copp-system-p-acl-telnet
permit tcp any any eq telnet
permit tcp any any eq 107
permit tcp any eq telnet any
permit tcp any eq 107 any
ipv6 access-list copp-system-p-acl-tacacs6
permit tcp any any eq tacacs
permit tcp any eq tacacs any
ipv6 access-list copp-system-p-acl-radius6
permit udp any any eq 1812
permit udp any any eq 1813
permit udp any any eq 1645
permit udp any any eq 1646
permit udp any eq 1812 any
permit udp any eq 1813 any
permit udp any eq 1645 any
permit udp any eq 1646 any
ipv6 access-list copp-system-p-acl-ntp6
permit udp any any eq ntp
permit udp any eq ntp any
ipv6 access-list copp-system-p-acl-tftp6
permit udp any any eq tftp
permit udp any any eq 1758
permit udp any eq tftp any
permit udp any eq 1758 any
ipv6 access-list copp-system-p-acl-ssh6
permit tcp any any eq 22
permit tcp any eq 22 any
ipv6 access-list copp-system-p-acl-telnet6
permit tcp any any eq telnet
permit tcp any any eq 107
permit tcp any eq telnet any
permit tcp any eq 107 any
class-map type control-plane match-any copp-system-p-class-management
match access-group name copp-system-p-acl-tacacs
match access-group name copp-system-p-acl-radius
match access-group name copp-system-p-acl-ntp
match access-group name copp-system-p-acl-ftp
match access-group name copp-system-p-acl-tftp
match access-group name copp-system-p-acl-sftp
match access-group name copp-system-p-acl-ssh
match access-group name copp-system-p-acl-snmp
match access-group name copp-system-p-acl-telnet
match access-group name copp-system-p-acl-tacacs6
match access-group name copp-system-p-acl-radius6
match access-group name copp-system-p-acl-ntp6
match access-group name copp-system-p-acl-tftp6
match access-group name copp-system-p-acl-ssh6
match access-group name copp-system-p-acl-telnet6
copp-system-class-normal クラスの設定は次のとおりです。
ip access-list copp-system-p-acl-dhcp
permit udp any neq bootps any eq bootps
permit udp any eq bootpc any
ip access-list copp-system-p-acl-dhcp-relay-response
permit udp any eq bootps any
permit udp any any eq bootpc
mac access-list copp-system-p-acl-mac-dot1x
permit any 0180.c200.0003 0000.0000.0000 0x888e
class-map type control-plane match-any copp-system-p-class-normal
match access-group name copp-system-p-acl-mac-dot1x
match exception multicast directly-connected-sources
match protocol arp
class-map type control-plane match-any copp-system-p-class-normal-dhcp
match redirect dhcp-snoop
match access-group name copp-system-p-acl-dhcp
class-map type control-plane match-any copp-system-p-class-normal-dhcp-relay-response
match access-group name copp-system-p-acl-dhcp-relay-response
copp-system-class-redirect クラスの設定は次のとおりです。
class-map type control-plane match-any copp-system-p-class-redirect
match redirect arp-inspect
copp-system-class-monitoring クラスの設定は次のとおりです。
ip access-list copp-system-p-acl-icmp
permit icmp any any echo
permit icmp any any echo-reply
ip access-list copp-system-p-acl-traceroute
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any range 33434 33534
ipv6 access-list copp-system-p-acl-icmp6
permit icmp any any echo-request
permit icmp any any echo-reply
class-map type control-plane match-any copp-system-p-class-monitoring
match access-group name copp-system-p-acl-icmp
match access-group name copp-system-p-acl-traceroute
match access-group name copp-system-p-acl-icmp6
copp-system-class-l2-unpoliced クラスの設定は次のとおりです。
mac access-list copp-system-p-acl-mac-cdp-udld-vtp
permit any 0100.0ccc.cccc 0000.0000.0000
mac access-list copp-system-p-acl-mac-stp
permit any 0100.0ccc.cccd 0000.0000.0000
permit any 0180.c200.0000 0000.0000.0000
mac access-list copp-system-p-acl-mac-lacp
permit any 0180.c200.0002 0000.0000.0000 0x8809
mac access-list copp-system-p-acl-mac-cfsoe
permit any 0180.C200.000E 0000.0000.0000 0x8843
mac access-list copp-system-p-acl-mac-gold
permit any any 0x3737
mac access-list copp-system-p-acl-mac-l2-tunnel
permit any any 0x8840
class-map type control-plane copp-system-p-class-l2-unpoliced
match access-group name copp-system-p-acl-mac-stp
match access-group name copp-system-p-acl-mac-lacp
match access-group name copp-system-p-acl-mac-cfsoe
match access-group name copp-system-p-acl-mac-sdp-srp
match access-group name copp-system-p-acl-mac-l2-tunnel
match access-group name copp-system-p-acl-mac-cdp-udld-vtp
match access-group name copp-system-p-acl-mac-gold
(注) |
MAC レイヤ 2 トンネル ACL が、Cisco NX-OS リリース 6.1 で追加されました。
|
copp-system-class-l2-default クラスの設定は次のとおりです。
mac access-list copp-system-p-acl-mac-undesirable
permit any any
class-map type control-plane copp-system-p-class-l2-default
match access-group name copp-system-p-acl-mac-undesirable
match protocol mpls
copp-system-class-fcoe クラスの設定は次のとおりです。
mac access-list copp-system-p-acl-mac-fcoe
permit any any 0x8906
permit any any 0x8914
class-map type control-plane match-any copp-system-p-class-fcoe
match access-group name copp-system-p-acl-mac-fcoe
(注) |
copp-system-class-fcoe クラスが、Cisco NX-OS リリース 6.1 で追加されました。
|
copp-system-class-undesirable クラスの設定は次のとおりです。
ip access-list copp-system-p-acl-undesirable
permit udp any any eq 1434
class-map type control-plane match-any copp-system-p-class-undesirable
match access-group name copp-system-p-acl-undesirable
match exception fcoe-fib-miss
(注) |
fcoe-fib-miss 一致例外が、Cisco NX-OS リリース 6.1 で追加されました。
|
mac access-list copp-system-acl-mac-cdp-udld-vtp
permit any 0100.0ccc.cccc 0000.0000.0000
mac access-list copp-system-acl-mac-cfsoe
permit any 0180.c200.000e 0000.0000.0000 0x8843
mac access-list copp-system-acl-mac-dot1x
permit any 0180.c200.0003 0000.0000.0000 0x888e
mac access-list copp-system-acl-mac-flow-control
permit any 0180.c200.0001 0000.0000.0000 0x8808
mac access-list copp-system-acl-mac-gold
permit any any 0x3737
mac access-list copp-system-acl-mac-l2mp-isis
permit any 0180.c200.0015 0000.0000.0000
permit any 0180.c200.0014 0000.0000.0000
mac access-list copp-system-acl-mac-l2pt
permit any 0100.0ccd.cdd0 0000.0000.0000
mac access-list copp-system-acl-mac-lacp
permit any 0180.c200.0002 0000.0000.0000 0x8809
mac access-list copp-system-acl-mac-lldp
permit any 0180.c200.000e 0000.0000.0000 0x88c
mac access-list copp-system-acl-mac-stp
permit any 0100.0ccc.cccd 0000.0000.0000
permit any 0180.c200.0000 0000.0000.0000
mac access-list copp-system-acl-mac-undesirable
permit any any