https://community.cisco.com/t5/network-security/control-plane-protection-cppr-and-traffic-rates/m-p/2615490#M920390 <P><SPAN style="color: #000000;">Jose, One way to begin tunning your environment would be to create class-maps which rely on ACLs to properly categorize the traffic. In the class-map, you may want to specific the conform action to be "transmit" and the exceed action to be transmit as well.&nbsp; This should ensure that the traffic that you are categorizing in CoPP will still transmit even if it exceeds the bandwidth you specified, but will still increment your exceed counter if the bandwidth you specified is not enough.&nbsp; Later all you will have to do is adjust your bandwidth to higher amount until you do not see the exceed counter increment.&nbsp; When using the "show policy-map control-plane-policy" command be aware that the output may be limiited to a small window of time.&nbsp; </SPAN></P> <PRE class="prettyprint"><SPAN style="color: #000000;">conf t</SPAN></PRE> <PRE class="prettyprint"><SPAN style="color: #000000;">ip access-list ex test_ssh</SPAN><BR /><SPAN style="color: #000000;">permit ip any any eq ssh</SPAN><BR /><SPAN style="color: #000000;">permit ip any eq ssh any<BR />exit</SPAN></PRE> <PRE class="prettyprint"><SPAN style="color: #000000;">class-map test_ssh</SPAN><BR /><SPAN style="color: #000000;">match access-group test_ssh</SPAN><BR /><BR /><SPAN style="color: #000000;">policy-map control-plane-policy<BR />&nbsp;&nbsp;&nbsp; !notice the exceed action of "transmit" below</SPAN><BR /><SPAN style="color: #000000;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;class test_ssh</SPAN><BR /><SPAN style="color: #000000;"><SPAN class="synph"><SPAN class="kwd">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; police rate 100&nbsp; 10&nbsp;</SPAN></SPAN><SPAN class="synph"><SPAN class="kwd">conform-action transmit exceed-action transmit<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit<BR /></SPAN></SPAN></SPAN><BR /><SPAN style="color: #000000;">&nbsp;<SPAN class="synph"><SPAN class="kwd">control plane</SPAN></SPAN></SPAN><BR /><SPAN style="color: #000000;">&nbsp; &nbsp;<SPAN class="synph"><SPAN class="kwd">service-policy</SPAN> <SPAN class="kwd">input</SPAN>&nbsp;control-plane-policy<BR />end</SPAN></SPAN><BR /><SPAN style="color: #000000;">&nbsp;<SPAN class="synph"><SPAN class="kwd">show policy-map control-plane-policy</SPAN></SPAN></SPAN></PRE> <P>Hopefully my syntax is correct, I do not have a router in front of me right now.&nbsp; <BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Jan 2016 16:39:31 GMT SAM R. 2016-01-27T16:39:31Z https://community.cisco.com/t5/network-security/control-plane-protection-cppr-and-traffic-rates/m-p/2615489#M920389 <P>Hi Everybody,</P><P>&nbsp;</P><P>currently I'm working on implement policies according to the CPPr but a couple of questions comes to my mind:</P><P>&nbsp;</P><P>1. Is there any standard to start policing the Management traffic (SSH, SNMP, Telnet, etc)??</P><P>2. How can I identify the current rates for the management protocols in order to Policy them??</P><P>&nbsp;</P><P>I understand how the MQC works and for sure understand the the CPPr optiones and benefits but I cannot find a way to start using it in my network or tuning it for my needs.</P><P>&nbsp;</P><P>Kind Regards,</P><P>&nbsp;</P><P>Jose-Manuel Cortes&nbsp;</P> Fri, 21 Feb 2020 13:24:35 GMT https://community.cisco.com/t5/network-security/control-plane-protection-cppr-and-traffic-rates/m-p/2615489#M920389 jose cortes 2020-02-21T13:24:35Z https://community.cisco.com/t5/network-security/control-plane-protection-cppr-and-traffic-rates/m-p/2615490#M920390 <P><SPAN style="color: #000000;">Jose, One way to begin tunning your environment would be to create class-maps which rely on ACLs to properly categorize the traffic. In the class-map, you may want to specific the conform action to be "transmit" and the exceed action to be transmit as well.&nbsp; This should ensure that the traffic that you are categorizing in CoPP will still transmit even if it exceeds the bandwidth you specified, but will still increment your exceed counter if the bandwidth you specified is not enough.&nbsp; Later all you will have to do is adjust your bandwidth to higher amount until you do not see the exceed counter increment.&nbsp; When using the "show policy-map control-plane-policy" command be aware that the output may be limiited to a small window of time.&nbsp; </SPAN></P> <PRE class="prettyprint"><SPAN style="color: #000000;">conf t</SPAN></PRE> <PRE class="prettyprint"><SPAN style="color: #000000;">ip access-list ex test_ssh</SPAN><BR /><SPAN style="color: #000000;">permit ip any any eq ssh</SPAN><BR /><SPAN style="color: #000000;">permit ip any eq ssh any<BR />exit</SPAN></PRE> <PRE class="prettyprint"><SPAN style="color: #000000;">class-map test_ssh</SPAN><BR /><SPAN style="color: #000000;">match access-group test_ssh</SPAN><BR /><BR /><SPAN style="color: #000000;">policy-map control-plane-policy<BR />&nbsp;&nbsp;&nbsp; !notice the exceed action of "transmit" below</SPAN><BR /><SPAN style="color: #000000;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;class test_ssh</SPAN><BR /><SPAN style="color: #000000;"><SPAN class="synph"><SPAN class="kwd">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; police rate 100&nbsp; 10&nbsp;</SPAN></SPAN><SPAN class="synph"><SPAN class="kwd">conform-action transmit exceed-action transmit<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit<BR /></SPAN></SPAN></SPAN><BR /><SPAN style="color: #000000;">&nbsp;<SPAN class="synph"><SPAN class="kwd">control plane</SPAN></SPAN></SPAN><BR /><SPAN style="color: #000000;">&nbsp; &nbsp;<SPAN class="synph"><SPAN class="kwd">service-policy</SPAN> <SPAN class="kwd">input</SPAN>&nbsp;control-plane-policy<BR />end</SPAN></SPAN><BR /><SPAN style="color: #000000;">&nbsp;<SPAN class="synph"><SPAN class="kwd">show policy-map control-plane-policy</SPAN></SPAN></SPAN></PRE> <P>Hopefully my syntax is correct, I do not have a router in front of me right now.&nbsp; <BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Jan 2016 16:39:31 GMT https://community.cisco.com/t5/network-security/control-plane-protection-cppr-and-traffic-rates/m-p/2615490#M920390 SAM R. 2016-01-27T16:39:31Z