[c-nsp] control plane policing feature

Rodney Dunn rodunn at cisco.com
Wed Dec 21 08:52:47 EST 2005 

I can't read your email because it didn't line wrap.

But from what I can gather is you want to allow icmp
from certain networks and drop the rest.

So you ACL should deny icmp coming from the particular
networks and then permit all other icmp traffic.

Then you reference the class-map *inbound* and set
the policy to drop.

That makes it such that all traffic that is *permitted* will
be dropped which is sorta reverse logic in that you denied
the traffic you wanted to allow through in the ACL.

Rodney

On Tue, Dec 20, 2005 at 03:23:47PM -0300, Francisco Rivas wrote:
> Hi all,
> 
> I'm testing the control plane policing on a Cisco 7206
> (http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html)
> and I've found certain things that don't fit, and I hope that someone
> here can give me a hand here. In the URL, there is an example that shows
> how to configure a couple of trusted networks to reach the router thru
> ICMP, and all the remaining ICMP traffic should be dropped. The example
> goes like this:
> 
> ! Allow 3.3.3.0 trusted network traffic.
> Router(config)# access-list 141 deny icmp host 3.3.3.0 0.0.0.255 any
> port-unreachable ! Allow 4.4.4.0 trusted network traffic.
> Router(config)# access-list 141 deny icmp host 4.4.4.0 0.0.0.255 any
> port-unreachable ! Rate limit all other ICMP traffic. Router(config)#
> access-list 141 permit icmp any any port-unreachable Router(config)#
> class-map icmp-class Router(config-cmap)# match access-group 141
> Router(config-cmap)# exit Router(config)# policy-map
> control-plane-out-policy ! Drop all traffic that matches the class
> "icmp-class." Router(config-pmap)# class icmp-class
> Router(config-pmap-c)# drop Router(config-pmap-c)# exit
> Router(config-pmap)# exit Router(config)# control-plane ! Define
> aggregate control plane service for the active route processor.
> Router(config-cp)# service-policy output control-plane-policy
> Router(config-cp)# exit
> 
> 
> First of all, I've tried some IOS versions, and the only one that I've found
> with the "drop" feature inside the class (in this case, "class icmp-class")
> is 12.4(3b) (service provider). I've tried 12.0(31)S2, 12.2(25)S7 and
> 12.3(14)T5, and they didn't have the "drop" command. I'm running
> 12.2(18)S4 on a 7206vxr with NPE-G1, and I want to stay on the 12.2
> train for now (by the way, 12.2(18)S4 is giving me some memory issues
> right now.. soon I'll write another mail about that). Is the "drop" command exclusive
> to the 12.4 train???
> Another thing, in the example, they want to ALLOW the ICMP traffic from both networks,
> so why they are DENIED on the config???? (access-list 141 deny icmp ...)
> I've tried this exact example (changing the ip addresses only), and
> obviously they didn't work. I've reversed the access-list (permit for
> the networks, then DENY any), and it worked as I expected. Is this a bug
> on the example, or something changed on 12.4 train??
> 
> And, for last, anyone has real-world experience with this control plane policing feature??
> does it works as expected???? any word about this will be very appreciated :)
> 
> Thanks a lot for your help!!!
> 
> 
> Regards,
> 
> 
> -- 
> Francisco Rivas Catalan
> Senior Network Engineer
> IFX Networks
> (56) 2 3744574
> francisco.rivas at ifxnw.cl
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list