Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3310
Views
0
Helpful
18
Replies

problem with LDP and CoPP

Go to solution
unfraget1
Level 1
Level 1

‎07-30-2018 05:05 AM

hi here

i've issue with control plane policy on AS1001.
i configured follow statement:

 

class-map match-all MGMT
 match access-group name MGMT
class-map match-all ICMP
 match access-group name ICMP
class-map match-all ANY_TRAFF
 match access-group name ANY_TRAFF
class-map match-all ROUTING
 match access-group name ROUTING
class-map match-all CVE-2018-0151
 match access-group name CVE-2018-0151

policy-map ControlPlane
 class CVE-2018-0151
  police cir 8000 conform-action drop
 class ROUTING
  police 1000000 50000 50000 conform-action transmit  exceed-action drop
 class MGMT
  police 1000000 50000 50000 conform-action transmit  exceed-action drop
 class ICMP
  police cir 50000 bc 5000 be 5000 conform-action transmit  exceed-action drop
 class ANY_TRAFF
  police 50000 5000 5000 conform-action transmit  exceed-action drop
 class class-default
  police 8000 1500 1500 conform-action transmit  exceed-action transmit

ip access-list extended ANY_TRAFF
 permit tcp any any
 permit udp any any
 permit icmp any any
 permit ip any any
ip access-list extended CVE-2018-0151
 permit udp any any eq 18999
 permit udp any eq 18999 any
ip access-list extended ICMP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any port-unreachable
 permit icmp any any unreachable
 permit pim any any
 permit udp any any eq pim-auto-rp
 permit igmp any any
 permit gre any any

ip access-list extended MGMT
 permit tcp xxx.xx.144.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq telnet
 permit tcp xxx.xx.144.0 0.0.0.255 eq telnet 77.xx.xx.0 0.0.31.255 established
 permit tcp 77.xx.xx.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq telnet
 permit tcp 77.xx.xx.0 0.0.0.255 eq telnet 77.xx.xx.0 0.0.31.255 established
 permit tcp 172.16.0.0 0.15.255.255 77.xx.xx.0 0.0.31.255 eq 22
 permit tcp 172.16.0.0 0.15.255.255 eq 22 77.xx.xx.0 0.0.31.255 established
 permit tcp xxx.xx.144.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq 22
 permit tcp xxx.xx.144.0 0.0.0.255 eq 22 77.xx.xx.0 0.0.31.255 established
 permit tcp 77.xx.xx.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq 22
 permit tcp 77.xx.xx.0 0.0.0.255 eq 22 77.xx.xx.0 0.0.31.255 established
 permit udp xxx.xx.144.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq snmp
 permit tcp host xxx.xx.177.65 77.xx.xx.0 0.0.31.255 eq ftp
 permit tcp host xxx.xx.177.65 77.xx.xx.0 0.0.31.255 eq ftp-data
 permit udp host xxx.xx.177.44 77.xx.xx.0 0.0.31.255 eq syslog
 permit udp host 85.xx.xx.xx eq domain 77.xx.xx.0 0.0.31.255
 permit udp host xxx.xx.xx.77 eq domain 77.xx.xx.0 0.0.31.255
 permit udp host xxx.xx.144.1 77.xx.xx.0 0.0.31.255 eq ntp
 permit udp host 128.184.1.1 77.xx.xx.0 0.0.31.255 eq ntp
ip access-list extended ROUTING
 permit tcp any gt 1024 77.xx.xx.0 0.0.31.255 eq bgp
 permit tcp any eq bgp 77.xx.xx.0 0.0.31.255 gt 1024 established
 permit tcp any gt 1024 77.xx.xx.0 0.0.31.255 eq 639
 permit tcp any eq 639 77.xx.xx.0 0.0.31.255 gt 1024 established
 permit tcp any 77.xx.xx.0 0.0.31.255 eq 646
 permit udp any 77.xx.xx.0 0.0.31.255 eq 646
 permit ospf any 77.xx.xx.0 0.0.31.255
 permit ospf any host 224.0.0.5
 permit ospf any host 224.0.0.6
 permit eigrp any 77.xx.xx.0 0.0.31.255
 permit eigrp any host 224.0.0.10

policies works, however, sometime LDP relationship is fail down.
in output "show policy-map control-plane", i see that, in rule for class map ANY_TRAFF has drops.
although LDP traffic should be matched with class map ROUTING

permit tcp any 77.xx.xx.0 0.0.31.255 eq 646
permit udp any 77.xx.xx.0 0.0.31.255 eq 646

i seems that, traffic not handled of these rules.

What am I doing wrong?

 

Labels:
0 Helpful
18 Replies 18

Go to solution
unfraget1
Level 1
Level 1
In response to Georg Pauwen

‎08-02-2018 08:22 AM - edited ‎08-02-2018 08:29 AM

sorry, i'm constantly changing the rules.
current ACL config for class of routing:

sh ip access-lists ROUTING
Extended IP access list ROUTING
10 permit tcp any gt 1024 77.xx.xx.0 0.0.31.255 eq bgp
20 permit tcp any eq bgp 77.xx.xx.0 0.0.31.255 gt 1024 established
30 permit tcp any gt 1024 77.xx.xx.0 0.0.31.255 eq 639
40 permit tcp any eq 639 77.xx.xx.0 0.0.31.255 gt 1024 established
50 permit ip any host 224.0.0.2
60 permit tcp any 77.xx.xx.0 0.0.31.255 eq 646
70 permit ospf any 77.xx.xx.0 0.0.31.255
80 permit ospf any host 224.0.0.5
90 permit ospf any host 224.0.0.6
100 permit eigrp any 77.xx.xx.0 0.0.31.255
110 permit eigrp any host 224.0.0.10

 but i haven't still understand, why LDP traffic doesn't  handled in class of routing

0 Helpful

Go to solution
unfraget1
Level 1
Level 1
In response to unfraget1

‎08-02-2018 08:59 AM - edited ‎08-02-2018 09:08 AM

i seems that rule "60 permit tcp any 77.xx.xx.0 0.0.31.255 eq 646" isn't work properly.

because, fail only tcp keepalive 

0 Helpful

Go to solution
unfraget1
Level 1
Level 1
In response to unfraget1

‎08-02-2018 09:48 AM

i was right, fail only "targeted LDP" neighborship between PE

0 Helpful

Go to solution
unfraget1
Level 1
Level 1
In response to unfraget1

‎08-03-2018 04:56 AM

as it turned out, firstly, LDP uses UDP 646 between IP PE for target LDP session, in order for the tLDP work properly , necessary to create follow statement in ACL:

permit udp any host 224.0.0.2 eq 646
permit udp any eq 646 any eq 646
permit tcp any host IP PE eq 646
permit udp any eq 646 host IP PE eq 646

i was confused, because, earlier i think that  tLDP uses only tcp for relationship.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card