取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

5302
查看次数
48
有帮助
5
回复
zhangjijun
Beginner

关于4451设备思科18999设备漏洞问题

思科网站看到关于IOS-XE设备,show udp查看到18999端口监听,通过policy-map配置进行丢弃报文的配置。
access-list 199 permit udp any any eq 18999
class-map undesirable-udp
match access-group 199
exit
policy-map drop-udp
class undesirable-udp
drop
exit
exit
control-plane
service-policy input drop-udp
但是4451设备上面输入policy-map drop-udp, class undesirable-udp,输入drop的时候,没有这个命令,请问应该如何配置呢?
1 个已接受解答

已接受的解答
junnyang
Cisco Employee

On platforms that do not support the drop keyword within the Policy Map, customers may consider utilizing a policy similar to the following as an alternative:
! -- ACL for CoPP Undesirable UDP class-map
! -- Ignore fragments to prevent them from being misclassified by the policy
access-list 199 deny ip any any fragments
! -- Classify traffic destined to UDP Port 18999 so that we can drop it prior to being processed
access-list 199 permit udp any any eq 18999
! -- CoPP Undesireable UDP class-map
class-map match-all undesireable-udp
match access-group 199
! -- Undesireable UDP Policy Map - Drop on Police Rate
policy-map drop-udp
class undesireable-udp
police rate 8000
conform-action drop
exceed-action drop
violate-action drop
! -- Apply Undesireable UDP policy Map
control-plane
service-policy input drop-udp
If the Adaptive QoS for DMVPN feature is later configured, the device must be upgraded to an unaffected release of Cisco IOS Software or Cisco IOS XE Software and the CoPP policy must be removed.
Detail information:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf73881

在原帖中查看解决方案

5 条回复5
junnyang
Cisco Employee

On platforms that do not support the drop keyword within the Policy Map, customers may consider utilizing a policy similar to the following as an alternative:
! -- ACL for CoPP Undesirable UDP class-map
! -- Ignore fragments to prevent them from being misclassified by the policy
access-list 199 deny ip any any fragments
! -- Classify traffic destined to UDP Port 18999 so that we can drop it prior to being processed
access-list 199 permit udp any any eq 18999
! -- CoPP Undesireable UDP class-map
class-map match-all undesireable-udp
match access-group 199
! -- Undesireable UDP Policy Map - Drop on Police Rate
policy-map drop-udp
class undesireable-udp
police rate 8000
conform-action drop
exceed-action drop
violate-action drop
! -- Apply Undesireable UDP policy Map
control-plane
service-policy input drop-udp
If the Adaptive QoS for DMVPN feature is later configured, the device must be upgraded to an unaffected release of Cisco IOS Software or Cisco IOS XE Software and the CoPP policy must be removed.
Detail information:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf73881

在原帖中查看解决方案

13nash
Collaborator

查找命令手册
XuLei18879
Beginner

policy-map drop-udp,这个drop-udp是policy-map的名字,可以随便取一个你喜欢的。。。所以你不会在按?的时候看到它。
zhangjijun
Beginner

lastbaba 发表于 2018-4-13 18:10
policy-map drop-udp,这个drop-udp是policy-map的名字,可以随便取一个你喜欢的。。。所以你不会在按?的 ...

我真的这个drop-udp 是随便起的一个名字,我起了这个名字,里面配置的时候,没有drop 这个命令。
Rockyw
Advisor

看来这个问题已经解决了
Content for Community-Ad