adamjacobmuller · May 9, 2014 04:47
diff --git a/copp-common b/copp-common
 ip access-list extended cp-any-any
 permit ip any any

 ip access-list extended cp-dns
 permit udp host 66.230.128.14 eq domain any
 permit udp host 66.230.128.18 eq domain any

 ip access-list extended cp-fragments
 permit ip any any fragments

 ip access-list extended cp-icmp
 permit icmp any any

 ip access-list extended cp-ntp
 permit udp host 66.230.128.67 eq ntp any eq ntp

 ip access-list extended cp-rsvp-isis
 permit 46 any any
 permit 124 any any

 no ip access-list extended cp-snmp
 ip access-list extended cp-snmp
 permit udp host 64.188.51.202 host 92.61.254.0 eq snmp
 permit udp host 64.188.51.204 host 92.61.254.0 eq snmp
 permit udp host 68.169.81.99 host 92.61.254.0 eq snmp
 permit udp host 68.169.81.102 host 92.61.254.0 eq snmp
 permit udp host 68.169.103.6 host 92.61.254.0 eq snmp
 permit udp host 76.9.24.249 host 92.61.254.0 eq snmp
 permit udp host 92.61.240.222 host 92.61.254.0 eq snmp
 permit udp host 92.61.240.218 host 92.61.254.0 eq snmp
 deny   ip any any

 no ip access-list extended cp-ssh
 ip access-list extended cp-ssh
 permit tcp host 64.111.209.130 host 92.61.254.0 eq 22
 permit tcp host 64.111.209.175 host 92.61.254.0 eq 22
 permit tcp host 66.230.128.34 host 92.61.254.0 eq 22
 permit tcp host 68.169.72.172 host 92.61.254.0 eq 22
 permit tcp host 68.169.72.186 host 92.61.254.0 eq 22
 permit tcp host 76.9.22.1 host 92.61.254.0 eq 22
 permit tcp host 76.9.22.3 host 92.61.254.0 eq 22
 permit tcp host 76.9.22.4 host 92.61.254.0 eq 22
 permit tcp host 76.9.22.28 host 92.61.254.0 eq 22
 permit tcp host 76.9.22.35 host 92.61.254.0 eq 22
 permit tcp host 76.9.24.249 host 92.61.254.0 eq 22
 permit tcp host 92.61.242.84 host 92.61.254.0 eq 22
 permit tcp host 23.239.9.180 host 92.61.254.0 eq 22
 permit tcp host 23.239.9.180 host 63.141.223.34 eq 22
 deny   ip any any

 ip access-list extended cp-unixtraceroute
 permit udp any any range 33434 33523

 ip access-list extended cp-vrrp
 permit 112 any any
 deny   ip any any

 ipv6 access-list cp-ipv6
 permit ipv6 any any

 class-map match-all fragments
  match access-group name cp-fragments

 class-map match-all unixtraceroute
  match access-group name cp-unixtraceroute

 class-map match-all trusted-ssh
  match access-group name cp-ssh

 class-map match-all vrrp
  match access-group name cp-vrrp

 class-map match-all rsvp-isis
  match access-group name cp-rsvp-isis

 class-map match-all bgp
  match access-group name cp-bgp

 class-map match-all trusted-dns
  match access-group name cp-dns

 class-map match-all trusted-ntp
  match access-group name cp-ntp

 class-map match-all trusted-snmp
  match access-group name cp-snmp

 class-map match-all ipv6
  match access-group name cp-ipv6

 class-map match-all ipanyany
  match access-group name cp-any-any

 class-map match-all gre-tunnel
  match access-group name cp-gre-tunnel


 no policy-map control-plane-in
 policy-map control-plane-in
  class fragments
    police 32000 1000 1000 conform-action drop exceed-action drop violate-action drop
  class unixtraceroute
    police 64000 2000 2000 conform-action transmit exceed-action drop violate-action drop
  class trusted-ssh
    police 1000000 10000 10000 conform-action transmit exceed-action drop violate-action drop
  class vrrp
    police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
  class rsvp-isis
    police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
  class bgp
    police 8000000 250000 250000 conform-action transmit exceed-action drop violate-action drop
  class trusted-dns
    police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
  class trusted-ntp
    police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
  class trusted-snmp
    police 800000 25000 25000 conform-action transmit exceed-action drop violate-action drop
  class gre-tunnel
    police 8000000 250000 250000 conform-action transmit exceed-action transmit violate-action transmit
  class icmp
    police 800000 25000 25000 conform-action transmit exceed-action drop violate-action drop
  class ipv6
    police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
  class ipanyany
    police 32000 1000 1000 conform-action drop exceed-action drop violate-action drop
	ip access-list extended cp-any-any
	permit ip any any

	ip access-list extended cp-dns
	permit udp host 66.230.128.14 eq domain any
	permit udp host 66.230.128.18 eq domain any

	ip access-list extended cp-fragments
	permit ip any any fragments

	ip access-list extended cp-icmp
	permit icmp any any

	ip access-list extended cp-ntp
	permit udp host 66.230.128.67 eq ntp any eq ntp

	ip access-list extended cp-rsvp-isis
	permit 46 any any
	permit 124 any any

	no ip access-list extended cp-snmp
	ip access-list extended cp-snmp
	permit udp host 64.188.51.202 host 92.61.254.0 eq snmp
	permit udp host 64.188.51.204 host 92.61.254.0 eq snmp
	permit udp host 68.169.81.99 host 92.61.254.0 eq snmp
	permit udp host 68.169.81.102 host 92.61.254.0 eq snmp
	permit udp host 68.169.103.6 host 92.61.254.0 eq snmp
	permit udp host 76.9.24.249 host 92.61.254.0 eq snmp
	permit udp host 92.61.240.222 host 92.61.254.0 eq snmp
	permit udp host 92.61.240.218 host 92.61.254.0 eq snmp
	deny ip any any

	no ip access-list extended cp-ssh
	ip access-list extended cp-ssh
	permit tcp host 64.111.209.130 host 92.61.254.0 eq 22
	permit tcp host 64.111.209.175 host 92.61.254.0 eq 22
	permit tcp host 66.230.128.34 host 92.61.254.0 eq 22
	permit tcp host 68.169.72.172 host 92.61.254.0 eq 22
	permit tcp host 68.169.72.186 host 92.61.254.0 eq 22
	permit tcp host 76.9.22.1 host 92.61.254.0 eq 22
	permit tcp host 76.9.22.3 host 92.61.254.0 eq 22
	permit tcp host 76.9.22.4 host 92.61.254.0 eq 22
	permit tcp host 76.9.22.28 host 92.61.254.0 eq 22
	permit tcp host 76.9.22.35 host 92.61.254.0 eq 22
	permit tcp host 76.9.24.249 host 92.61.254.0 eq 22
	permit tcp host 92.61.242.84 host 92.61.254.0 eq 22
	permit tcp host 23.239.9.180 host 92.61.254.0 eq 22
	permit tcp host 23.239.9.180 host 63.141.223.34 eq 22
	deny ip any any

	ip access-list extended cp-unixtraceroute
	permit udp any any range 33434 33523

	ip access-list extended cp-vrrp
	permit 112 any any
	deny ip any any

	ipv6 access-list cp-ipv6
	permit ipv6 any any

	class-map match-all fragments
	match access-group name cp-fragments

	class-map match-all unixtraceroute
	match access-group name cp-unixtraceroute

	class-map match-all trusted-ssh
	match access-group name cp-ssh

	class-map match-all vrrp
	match access-group name cp-vrrp

	class-map match-all rsvp-isis
	match access-group name cp-rsvp-isis

	class-map match-all bgp
	match access-group name cp-bgp

	class-map match-all trusted-dns
	match access-group name cp-dns

	class-map match-all trusted-ntp
	match access-group name cp-ntp

	class-map match-all trusted-snmp
	match access-group name cp-snmp

	class-map match-all ipv6
	match access-group name cp-ipv6

	class-map match-all ipanyany
	match access-group name cp-any-any

	class-map match-all gre-tunnel
	match access-group name cp-gre-tunnel


	no policy-map control-plane-in
	policy-map control-plane-in
	class fragments
	police 32000 1000 1000 conform-action drop exceed-action drop violate-action drop
	class unixtraceroute
	police 64000 2000 2000 conform-action transmit exceed-action drop violate-action drop
	class trusted-ssh
	police 1000000 10000 10000 conform-action transmit exceed-action drop violate-action drop
	class vrrp
	police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
	class rsvp-isis
	police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
	class bgp
	police 8000000 250000 250000 conform-action transmit exceed-action drop violate-action drop
	class trusted-dns
	police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
	class trusted-ntp
	police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
	class trusted-snmp
	police 800000 25000 25000 conform-action transmit exceed-action drop violate-action drop
	class gre-tunnel
	police 8000000 250000 250000 conform-action transmit exceed-action transmit violate-action transmit
	class icmp
	police 800000 25000 25000 conform-action transmit exceed-action drop violate-action drop
	class ipv6
	police 80000 2500 2500 conform-action transmit exceed-action drop violate-action drop
	class ipanyany
	police 32000 1000 1000 conform-action drop exceed-action drop violate-action drop