10-03-2017 03:56 AM - edited 03-05-2019 09:13 AM
Hello,
I have stack of 2 switches 3750x.
I want protect the stack's CPU from pinging.
I have next settings:
class-map match-any ICMP_PORT_TE_1_1_2
match input-interface TenGigabitEthernet1/1/2
The TenGigabitEthernet1/1/2 is uplink.
class-map match-all ICMP_v4
match access-group name ACL_ICMPv4
policy-map ICMP_POLICY_CHILD_COPP
class ICMP_PORT_TE_1_1_2
police 100000 18000 exceed-action drop
policy-map POLICY_PARENT_COPP
class ICMP_v4
set precedence 0
service-policy ICMP_POLICY_CHILD_COPP
interface TenGigabitEthernet1/1/2
description -T-- #0000000 TRUNK TO SW1-MO-PUTIL-AGG Te1/1/1, MO,zaval (13.01.2017) ----
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 916,940,967,968,970,977,1124,1125
switchport mode trunk
switchport block unicast
srr-queue bandwidth share 10 70 15 5
srr-queue bandwidth shape 0 0 0 0
mls qos vlan-based
spanning-tree bpdufilter enable
interface Vlan1125
description ---Interface To SW1-MSK-074-CORE (Global Route Table)---
ip address 212.46.13.178 255.255.255.252
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 011C15145D3401032E4E71190C111E1E59
ip ospf network point-to-point
ip ospf dead-interval 3
ip ospf hello-interval 1
ip ospf mtu-ignore
service-policy input POLICY_PARENT_COPP
ip access-list extended ACL_ICMPv4
deny icmp 212.46.0.0 0.0.0.255 any
deny icmp 212.46.9.0 0.0.0.255 any
deny icmp 212.46.13.0 0.0.0.255 any
deny icmp 46.38.100.0 0.0.0.255 any
permit icmp any any
But, protection don't working.
I'm pinging 212.46.13.178 from 46.38.120.1
The same settings is working on old 3750g.
Solved! Go to Solution.
10-06-2017 03:05 AM
I'm solved the problem.
My config is correct.
Problem with IOS ver. 15.2(1)E2.
I'm upgraded the IOS to version 15.2(4)E5 and protection was working.
10-03-2017 05:31 AM
MLS enable...
SW1-MO-PUTIL2-AGG#sh mls qos
QoS is enabled
10-03-2017 08:05 AM - edited 10-03-2017 08:10 AM
Your ACL is incorrect.
If you want to block ICMP from 46.38.120.1 you need to either add
deny icmp 46.38.120.0 0.0.0.255 any
OR
deny icmp 46.38.0.0 0.0.255.255 any
This one will block ICMP from 46.38.X.X subnets.
ip access-list extended ACL_ICMPv4
deny icmp 212.46.0.0 0.0.0.255 any
deny icmp 212.46.9.0 0.0.0.255 any
deny icmp 212.46.13.0 0.0.0.255 any
deny icmp 46.38.100.0 0.0.0.255 any. <<--- This will block only IP addresses 46.38.100.X
permit icmp any any
But, protection don't working.
I'm pinging 212.46.13.178 from 46.38.120.1
10-04-2017 02:01 AM
Hello, David
For subnets 212.46.0.0/24, 212.46.9.0/24, 212.46.13.0/24 and 46.38.100.0/24 the protection don't must work. For all other subnets, it must work.
But from 46.38.120.1 no protection.
10-04-2017 02:08 AM
From 212.46.9.1 no protection too.
There is no protection for any addresses.
10-06-2017 03:05 AM
I'm solved the problem.
My config is correct.
Problem with IOS ver. 15.2(1)E2.
I'm upgraded the IOS to version 15.2(4)E5 and protection was working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide