Jose, One way to begin

jose cortes · ‎02-22-2015

Hi Everybody,

currently I'm working on implement policies according to the CPPr but a couple of questions comes to my mind:

1. Is there any standard to start policing the Management traffic (SSH, SNMP, Telnet, etc)??

2. How can I identify the current rates for the management protocols in order to Policy them??

I understand how the MQC works and for sure understand the the CPPr optiones and benefits but I cannot find a way to start using it in my network or tuning it for my needs.

Kind Regards,

Jose-Manuel Cortes

SAM R. · ‎01-27-2016

Jose, One way to begin tunning your environment would be to create class-maps which rely on ACLs to properly categorize the traffic. In the class-map, you may want to specific the conform action to be "transmit" and the exceed action to be transmit as well. This should ensure that the traffic that you are categorizing in CoPP will still transmit even if it exceeds the bandwidth you specified, but will still increment your exceed counter if the bandwidth you specified is not enough. Later all you will have to do is adjust your bandwidth to higher amount until you do not see the exceed counter increment. When using the "show policy-map control-plane-policy" command be aware that the output may be limiited to a small window of time.

conf t

ip access-list ex test_ssh
permit ip any any eq ssh
permit ip any eq ssh any
exit

class-map test_ssh
match access-group test_ssh

policy-map control-plane-policy
    !notice the exceed action of "transmit" below
     class test_ssh
         police rate 100  10 conform-action transmit exceed-action transmit
         exit

 control plane
   service-policy input control-plane-policy
end
 show policy-map control-plane-policy

Hopefully my syntax is correct, I do not have a router in front of me right now.

Control Plane Protection (CPPr) and Traffic Rates