Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1417
Views
0
Helpful
1
Replies

control plane issue

Go to solution
jamiepurola
Level 1
Level 1

‎01-12-2011 11:12 PM - edited ‎03-04-2019 11:04 AM

We started using control-plane policing in our network. One problem after we configured it is at one of our remote sites, OSPF drops. The remote site is not directly connected to our network but only by an IPSEC GRE tunnel. So when I remove control plane OSPF re-establishes. We also have to remove control-plane when we upload new IOS code to the device, it usuallly times out in 15 mins.

024578: Jan 12 09:36:38.481 GMT: %OSPF-5-ADJCHG: Process 100, Nbr x.x.x.x on Tunnel1 from EXSTART to DOWN, Neighbor Down: Too many retransmissions
024579: Jan 12 09:37:38.483 GMT: %OSPF-5-ADJCHG: Process 100, Nbr x.x.x.x on Tunnel1 from DOWN to DOWN, Neighbor Down: Ignore timer expired
024581: Jan 12 09:40:03.580 GMT: %OSPF-5-ADJCHG: Process 100, Nbr x.x.x.x on Tunnel1 from EXCHANGE to DOWN, Neighbor Down: Too many retransmissions
024582: Jan 12 09:41:03.583 GMT: %OSPF-5-ADJCHG: Process 100, Nbr x.x.x.x on Tunnel1 from DOWN to DOWN, Neighbor Down: Ignore timer expired

================================

class-map match-any CoPP_Critical
match access-group name CoPP_Critical
match protocol arp
class-map match-all CoPP_Drop
match access-group name CoPP_Drop
class-map match-all CLASSIFY-ROUTING

class-map match-all CoPP_MGMT_FTP

match access-group name CoPP_MGMT_FTP

=====================================

policy-map CoPP_Policy
class CoPP_MGMT_FTP
class CoPP_Critical <<<< ospf
    police 256000 8000 conform-action transmit  exceed-action drop
class CoPP_Management
    police 512000 4000 conform-action transmit  exceed-action drop
class CoPP_Multicast
    police 128000 2000 conform-action transmit  exceed-action drop
class CoPP_Other
    police 32000 1000 conform-action transmit  exceed-action drop
class CoPP_Drop
   drop
class CoPP_Default
    police 64000 2000 conform-action transmit  exceed-action drop

==========================

policy-map QoS
class QoS-ROUTING
  bandwidth percent 5
class QoS-VOICE
class QoS-VTC
class QoS-VIDEO
class QoS-CRITICAL
class QoS-SIGNAL
class QoS-TRANSACT
class QoS-MANAGEMENT
  bandwidth percent 5
class CLASSIFY-MANAGEMENT
  set ip dscp cs2
  bandwidth percent 5
class QoS-BULK
class QoS-SCAVENGER
  bandwidth percent 1
class class-default
  bandwidth percent 25
  random-detect dscp-based

==========================

interface Tunnel1
description *** IPSec/GRE Tunnel  ***
bandwidth 1544
ip address x.x.x.x
no ip redirects
no ip proxy-arp
ip pim sparse-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 xxxx
ip ospf 100 area xx
keepalive 10 3
tunnel source (serial 0/0/0)
tunnel destination (loopback ip on the core side)

interface Serial0/0/0
description *** REMOTE-PERIMETER ***
bandwidth 1544
ip address x.x.x.x x.x.x.x.x
ip access-group REMOTE-INGRESS in
ip access-group REMOTE-EGRESS out
no ip redirects
no ip proxy-arp
ip multicast boundary MCAST-BOUNDARY
no cdp enable
max-reserved-bandwidth 100
service-policy output QoS

========================

ip access-list extended CoPP_Critical
remark OSPF
permit ospf host x.x.x.x any

ip access-list extended CoPP_MGMT_FTP
permit ip host x.x.x.x any
permit tcp host x.x.x.x any
deny   ip any any

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hbruyere
Cisco Employee
Cisco Employee

‎01-16-2011 04:13 AM

Hello,

Since copp is used, among other things, to protect the routing protocols traffic, it is a bad idea to put OSPF into a class that may allow to drop it.

Please refer to the following document discussing copp best practises.

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html


Specifically from this dpocument here is a sample of a typical copp service policy:

policy-map RTR_CoPP
 class Undesirable
 police 8000 1500 1500 conform-action drop exceed-action drop
 class Routing
 police 1000000 50000 50000 conform-action transmit exceed-action transmit
 class Management
 police 100000 20000 20000 conform-action transmit exceed-action drop
 class Normal
 police 50000 5000 5000 conform-action transmit exceed-action drop
 class Catch-All-IP
 police 50000 5000 5000 conform-action transmit exceed-action drop
 class class-default
 police 8000 1500 1500 conform-action transmit exceed-action transmit

As you can see the 'Routing' class has no drop action. The same for the default class, as it will contain important L2 keepalives, ISIS packets ...

Regards,

Herve

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hbruyere
Cisco Employee
Cisco Employee

‎01-16-2011 04:13 AM

Hello,

Since copp is used, among other things, to protect the routing protocols traffic, it is a bad idea to put OSPF into a class that may allow to drop it.

Please refer to the following document discussing copp best practises.

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html


Specifically from this dpocument here is a sample of a typical copp service policy:

policy-map RTR_CoPP
 class Undesirable
 police 8000 1500 1500 conform-action drop exceed-action drop
 class Routing
 police 1000000 50000 50000 conform-action transmit exceed-action transmit
 class Management
 police 100000 20000 20000 conform-action transmit exceed-action drop
 class Normal
 police 50000 5000 5000 conform-action transmit exceed-action drop
 class Catch-All-IP
 police 50000 5000 5000 conform-action transmit exceed-action drop
 class class-default
 police 8000 1500 1500 conform-action transmit exceed-action transmit

As you can see the 'Routing' class has no drop action. The same for the default class, as it will contain important L2 keepalives, ISIS packets ...

Regards,

Herve

0 Helpful
Customers Also Viewed These Support Documents