|
Author
|
Topic: control plance protection not working
|
mib
Member
Member # 27086
Rate Member
|
posted July 23, 2012 06:25 AM
i'm trying to use Control place protection between R1 & R2 to drop the telnet traffic. but telnet traffic is not getting blocked at all.
Can any expert please point out what i'm doing wrong here
topology R1->R3<-R2
R3 config
class-map match-any telnet-drop
match access-group name telnet-drop
policy-map telnet-drop
class telnet-drop
drop
control-plane host
service-policy input telnet-drop
ip access-list extended telnet-drop
deny tcp host 150.1.1.1 host 150.1.2.1 eq telnet
permit tcp host 150.1.2.1 host 150.1.1.1 eq telnet
permit tcp any any
Posts: 39 | From: India (Pune) | Registered: Oct 2008
| IP: Logged
|
|
cmfigue
Specialist
Member # 30387
|
posted July 23, 2012 06:51 AM
maybe you need to use the control-plane transit
Posts: 95 | From: Puerto Rico | Registered: Dec 2010
| IP: Logged
|
|
mib
Member
Member # 27086
Rate Member
|
posted July 23, 2012 07:03 AM
quote:
Originally posted by cmfigue:
maybe you need to use the control-plane transit
Tried that but no luck
Posts: 39 | From: India (Pune) | Registered: Oct 2008
| IP: Logged
|
|
cmfigue
Specialist
Member # 30387
|
posted July 23, 2012 10:02 AM
Verify the lo0 IP.
150.1.1.1 R1
150.1.2.2 R2
Posts: 95 | From: Puerto Rico | Registered: Dec 2010
| IP: Logged
|
|
mib
Member
Member # 27086
Rate Member
|
posted July 23, 2012 10:13 AM
quote:
Originally posted by cmfigue:
Verify the lo0 IP.
150.1.1.1 R1
150.1.2.2 R2
They are correct
Posts: 39 | From: India (Pune) | Registered: Oct 2008
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted July 23, 2012 10:38 PM
CPPr deals with traffic to router not across. Though you can use CPPr transit sub-interface, that is meant for process switched traffic.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
mib
Member
Member # 27086
Rate Member
|
posted July 24, 2012 02:17 AM
quote:
Originally posted by Kingsley Charles (CCSP, CCNP, CCIP):
CPPr deals with traffic to router not across. Though you can use CPPr transit sub-interface, that is meant for process switched traffic.
With regards
Kings
I already tried that but still it won't work for some reason . When it didn't worked i tried with all three sub interfaces.
If i enable the "debug control-plance all" i get the "Control Plane: marking pak exception [non-cef]" message .
------------------------------------
R3#sh run
Building configuration...
Current configuration : 1167 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
class-map match-any telnet-drop
match access-group name telnet-drop
!
!
policy-map telnet-drop
class telnet-drop
drop
!
!
!
!
!
interface FastEthernet0/0
ip address 150.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.2.2 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended telnet-drop
deny tcp host 150.1.1.1 host 150.1.2.1 eq telnet
permit tcp host 150.1.2.1 host 150.1.1.1 eq telnet
permit tcp any any
!
!
!
!
!
!
control-plane transit
service-policy input telnet-drop
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R3#sh policy-map control-plane all
Control Plane Transit
Service-policy input: telnet-drop
Class-map: telnet-drop (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name telnet-drop
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
1 packets, 60 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
------------------------------------
Cheers
Posts: 39 | From: India (Pune) | Registered: Oct 2008
| IP: Logged
|
|
mib
Member
Member # 27086
Rate Member
|
posted July 26, 2012 12:41 PM
quote:
Originally posted by Kingsley Charles (CCSP, CCNP, CCIP):
CPPr deals with traffic to router not across. Though you can use CPPr transit sub-interface, that is meant for process switched traffic.
With regards
Kings
I figured out the mistake after reading the control plane policing best practices http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
I was putting control plane protection on wrong router. When i put it on destination router, it was working. Thanks everyone for your help
Posts: 39 | From: India (Pune) | Registered: Oct 2008
| IP: Logged
|
|
futbolking83
Guru
Member # 31103
Rate Member
|
posted July 26, 2012 08:32 PM
CoPP for management type traffic should always be applied to the management sub interface when available - 12.4T. Any mgmt protocol not specific is dropped for flows intending to terminate on the box.
Posts: 109 | From: NoVa | Registered: Jul 2011
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic