11-24-2013 07:51 AM - edited 03-10-2019 12:09 AM
Hi All,
I try to play with CPPr and I came with the following to drop all packets to closed ports except RIP:
class-map type port-filter match-all closed
match closed-ports
class-map type port-filter match-any validPorts
match port udp 520
policy-map type port-filter PortPMAP
class validPorts
log
class closed
drop
control-plane host
service-policy type port-filter input PortPMAP
and that works fine, now, if I remove the log action of validPorts, I stop receiving RIP updates (checked with debug ip RIP) and my routes eventually become removed on routing table.
Per this link:
policy-map copp-policy
class coppclass-bgp
< no operation specified since this class has unrestricted access to route processor >
So I would expect that even with no log my traffic should be permitted.
Is this a bug, or did I missed something ?
I am running on
R3(config)#do sh ver | i IO
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
11-25-2013 09:37 AM
I think you're running into this problem because RIP uses brodcasts. Try enabling RIPv2 and specifiying a neighbor. That will enable RIP to use multicast. This would need to be done on each router.
Hope it helps.
11-25-2013 10:20 AM
Hi Collin,
I already have RIPv2. When I have the log action, I see packets to 224.0.0.9, it's just for some reason if I do not put a log action packets looks droppped.
As a workaround I can do
class-map type port-filter match-all closed
match closed-ports
match not udp 520
But that is strange... Maybe i'll try a differnet IOS version if I have some time.
11-25-2013 10:22 AM
I can try it in the lab tonight too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide