[c-nsp] control plane policing feature
Francisco Rivas
frivas at lanparty.cl
Tue Dec 20 13:23:47 EST 2005
Hi all,
I'm testing the control plane policing on a Cisco 7206
(http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html)
and I've found certain things that don't fit, and I hope that someone
here can give me a hand here. In the URL, there is an example that shows
how to configure a couple of trusted networks to reach the router thru
ICMP, and all the remaining ICMP traffic should be dropped. The example
goes like this:
! Allow 3.3.3.0 trusted network traffic.
Router(config)# access-list 141 deny icmp host 3.3.3.0 0.0.0.255 any
port-unreachable ! Allow 4.4.4.0 trusted network traffic.
Router(config)# access-list 141 deny icmp host 4.4.4.0 0.0.0.255 any
port-unreachable ! Rate limit all other ICMP traffic. Router(config)#
access-list 141 permit icmp any any port-unreachable Router(config)#
class-map icmp-class Router(config-cmap)# match access-group 141
Router(config-cmap)# exit Router(config)# policy-map
control-plane-out-policy ! Drop all traffic that matches the class
"icmp-class." Router(config-pmap)# class icmp-class
Router(config-pmap-c)# drop Router(config-pmap-c)# exit
Router(config-pmap)# exit Router(config)# control-plane ! Define
aggregate control plane service for the active route processor.
Router(config-cp)# service-policy output control-plane-policy
Router(config-cp)# exit
First of all, I've tried some IOS versions, and the only one that I've found
with the "drop" feature inside the class (in this case, "class icmp-class")
is 12.4(3b) (service provider). I've tried 12.0(31)S2, 12.2(25)S7 and
12.3(14)T5, and they didn't have the "drop" command. I'm running
12.2(18)S4 on a 7206vxr with NPE-G1, and I want to stay on the 12.2
train for now (by the way, 12.2(18)S4 is giving me some memory issues
right now.. soon I'll write another mail about that). Is the "drop" command exclusive
to the 12.4 train???
Another thing, in the example, they want to ALLOW the ICMP traffic from both networks,
so why they are DENIED on the config???? (access-list 141 deny icmp ...)
I've tried this exact example (changing the ip addresses only), and
obviously they didn't work. I've reversed the access-list (permit for
the networks, then DENY any), and it worked as I expected. Is this a bug
on the example, or something changed on 12.4 train??
And, for last, anyone has real-world experience with this control plane policing feature??
does it works as expected???? any word about this will be very appreciated :)
Thanks a lot for your help!!!
Regards,
--
Francisco Rivas Catalan
Senior Network Engineer
IFX Networks
(56) 2 3744574
francisco.rivas at ifxnw.cl
More information about the cisco-nsp
mailing list