This might be a little too platform/vendor specific for this group so I apologize in advance if that is the case.

Does anyone have a working example of CoPP on NXOS which limits things like BGP, SSH, and the NXAPI HTTPS interface to a specific remote /32 and blocks everything else that is not specifically allowed in the ACLs attached to the classes?

I’ve had a ticket open /w TAC for a month and I’m actually getting nowhere.

Thank you so much,


Setting the "conform" & "violate" actions to "drop" for a class with
appropriate ACL matching seems to work:

    policy-map type control-plane copp-policy-whatever
      ! other classes ...
      class copp-class-undesirable-junk
        set cos 0
        police cir 32 kbps bc 310 ms conform drop violate drop
      ! other classes ...

The rates are irrelevant in that case, but still required.