[c-nsp] control-plane policing

Ian MacKinnon ian.mackinnon at lumison.net
Thu Jul 24 11:18:27 EDT 2008 

Hi Frank,

check out
http://aharp.ittns.northwestern.edu/papers/copp.html
It says
  remark BGP
  permit tcp host [BGP neighbor addr] eq bgp host [local BGP addr]
  permit tcp host [BGP neighbor addr] host [local BGP addr] eq bgp

ie source port=BGP as well as destination


Frank DiGravina wrote:
> So,
>
> Since our soon-to-be-production router interfaces will be publicly exposed,
> we are considering using CoPP to mitigate that exposure. I have cobbled
> together a policy map, a set of class maps and corresponding access-lists.
> I am running on 7609s's using 122-33.SRB3. The issue I am having relates
> to BGP (re) establishment. BGP does not establish as it should, returns
> to an
> idle state and then finally transfers the correct route count. The
> peering interfaces in question
> are 10 gig ones. I have included the class-map for my critical traffic. See
> below:
>
> policy-map control-plane-in
> class cp-critical-in
> police 5000000 1000000 1000000 conform-action transmit exceed-action
> drop violate-action drop
>
> ip access-list extended cp-critical-in
> remark OSPF
> permit ospf host 146.57.252.130 any
> permit ospf host 146.57.252.141 any
> permit ospf host 146.57.252.150 any
> permit ospf host 146.57.252.165 any
> remark PIM
> permit pim host 146.57.252.130 any
> permit pim host 146.57.252.141 any
> permit pim host 146.57.252.150 any
> permit pim host 146.57.252.165 any
> remark IGMP
> permit igmp any 224.0.0.0 15.255.255.255
> remark BGP
> permit tcp 146.57.252.0 0.0.0.255 146.57.252.0 0.0.0.255 eq bgp
> permit tcp 146.57.252.0 0.0.0.255 146.57.252.0 0.0.0.255 eq 646 <--- ldp
> deny ip any any
>
> Initially, I did not have a police statement for the above class map.
> And things
> did not work at all. This is apparently needed. Please see:
>
> http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dos.pdf
>
>
> Has anyone implemented CoPP successfully? Is the above configuration
> flawed?
>
> All reccomendation are welcome.
>
> Thanks in advance for the responses!
>
>
> --F.
>



--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.

More information about the cisco-nsp mailing list