Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
0
Helpful
2
Replies

CoPP policy

jamiepurola
Level 1
Level 1

‎01-20-2011 12:59 AM - edited ‎03-04-2019 11:09 AM

I have been messing with our copp policy at work and cant seem to tune it right. I am trying to ftp a new IOS to our router but it keeps timing out but when I remove the the service-policy input CoPP_Policy from the control-plane it works fine and doesnt time out. Any suggestions??

router1#copy ftp flash:
Address or name of remote host [x.x.x.x]?
Source filename []?
Destination filename []?
Accessing ftp://x.x.x.x/....bin...
Loading (image location).bin ! <<<<<< times out after 10 minutes
%Error reading ftp://x.x.x.x/.....bin (Connection timed out)

==============================

policy-map CoPP_Policy
class CoPP_MGMT_FTP
    police 256000 8000 conform-action transmit  exceed-action transmit
class CoPP_Critical
    police 256000 8000 conform-action transmit  exceed-action transmit
class CoPP_Management
    police 512000 4000 conform-action transmit  exceed-action drop
class CoPP_Multicast
    police 128000 2000 conform-action transmit  exceed-action drop
class CoPP_Other
    police 32000 1000 conform-action transmit  exceed-action drop
class CoPP_Drop
   drop
class CoPP_Default
    police 64000 2000 conform-action transmit  exceed-action drop

router1#sh policy-map control-plane
Control Plane

  Service-policy input: CoPP_Policy

    Class-map: CoPP_MGMT_FTP (match-all)
      504 packets, 225062 bytes
      5 minute offered rate 2000 bps, drop rate 0 bps
      Match: access-group name CoPP_MGMT_FTP
      police:
          cir 256000 bps, bc 8000 bytes
        conformed 504 packets, 225062 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          transmit
        conformed 2000 bps, exceed 0 bps

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-20-2011 01:51 AM

Hello Jamie,

FTP is peculiar in that there is a control session using well known port TCP 21 on server side and then there is a data session that is actually another socket.

My guess is that your current configuration does not allow the data connection to flow

Be also aware that there are different ways to setup the data connection (FTP active or passive mode)

see

http://slacksite.com/other/ftp.html

Hope to help

Giuseppe

0 Helpful

jamiepurola
Level 1
Level 1
In response to Giuseppe Larosa

‎01-20-2011 02:07 AM

here is the acl we have for the ftp session that is applied to the class-map. Note sure how I could modify this though to improve the upload. Also I dont see any drops on the firewall only accepts between the router ip and the ftp server

class-map match-all CoPP_MGMT_FTP
match access-group name CoPP_MGMT_FTP

!

ip access-list extended CoPP_MGMT_FTP

permit ip host x.x.x.x (FTP Server) any
permit tcp host x.x.x.x (FTP Server) any

deny   ip any any

0 Helpful
Customers Also Viewed These Support Documents