[c-nsp] control-plane policing
Frank DiGravina
digravin at umn.edu
Thu Jul 24 11:07:21 EDT 2008
So,
Since our soon-to-be-production router interfaces will be publicly exposed,
we are considering using CoPP to mitigate that exposure. I have cobbled
together a policy map, a set of class maps and corresponding access-lists.
I am running on 7609s's using 122-33.SRB3. The issue I am having relates
to BGP (re) establishment. BGP does not establish as it should, returns
to an
idle state and then finally transfers the correct route count. The
peering interfaces in question
are 10 gig ones. I have included the class-map for my critical
traffic. See
below:
policy-map control-plane-in
class cp-critical-in
police 5000000 1000000 1000000 conform-action transmit
exceed-action drop violate-action drop
ip access-list extended cp-critical-in
remark OSPF
permit ospf host 146.57.252.130 any
permit ospf host 146.57.252.141 any
permit ospf host 146.57.252.150 any
permit ospf host 146.57.252.165 any
remark PIM
permit pim host 146.57.252.130 any
permit pim host 146.57.252.141 any
permit pim host 146.57.252.150 any
permit pim host 146.57.252.165 any
remark IGMP
permit igmp any 224.0.0.0 15.255.255.255
remark BGP
permit tcp 146.57.252.0 0.0.0.255 146.57.252.0 0.0.0.255 eq bgp
permit tcp 146.57.252.0 0.0.0.255 146.57.252.0 0.0.0.255 eq 646 <--- ldp
deny ip any any
Initially, I did not have a police statement for the above class map.
And things
did not work at all. This is apparently needed. Please see:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dos.pdf
Has anyone implemented CoPP successfully? Is the above configuration
flawed?
All reccomendation are welcome.
Thanks in advance for the responses!
--F.
--
Frank DiGravina
University of Minnesota
Networking & Telecommunications
Network Operations
Phone: 612-626-9074
Cell: 612-386-0449
E-Mail: digravin at umn.edu
Helpline: 612-301-HELP
More information about the cisco-nsp
mailing list