Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
3
Helpful
10
Replies

Strange ASR-1001 Access-lists behavior

RemsoO
Level 1
Level 1

‎05-29-2024 01:05 AM

Hello,

I am trying to implement control plane policies on my test equipment, my cto is asking me to limit the ICMP max rate for all untrusted addresses. (I have to create an exception for knows hosts)

Having very little experience in CoPP, I believed that I could just Deny some hosts in the ACL so those wont match the rate limit class-map like this :

ip access-list extended ICMP
 deny icmp host 192.168.1.3 any
 permit icmp any any

My big problem is that ICMP-echoes are incrementing counters of the rate-limit class when sent from the denied host's address. I thought that denying a host in the ACL was going to prevent those echoes from matching this class. (It does with a bunch of other models that I tested and echoes are matching the default-class instead)

The point is that I wanted to add a second ACL to treat those trusted hosts in a different class, but given the fact that the first one is not working, I came here instead to prevent from making mistakes.

Could you tell me if more efficient solutions exists for this case of use ? Have you ever seen this kind of ACL behavior on 1000 series ?

class-map match-any ICMP
 match access-group name ICMP

policy-map COPP
 class ICMP
  police cir 8000
  conform-action transmit
  exceed-action drop
  violate-action drop

 

ASR1001# show policy-map control-plane
Control Plane

Service-policy input: COPP

Class-map: ICMP (match-any)
720 packets, 50240 bytes                                                   ===> Ping from .1.3 are incrementing this counter
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ICMP
police:
cir 500000 bps, bc 15625 bytes, be 15625 bytes
conformed 720 packets, 50240 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: FRAGMENTS (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps
Match: access-group name FRAGMENTS

Class-map: class-default (match-any)
34410 packets, 2052766 bytes
5 minute offered rate 9000 bps, drop rate 0000 bps

Labels:
10 Replies 10

MHM Cisco World
VIP
VIP

‎05-29-2024 04:37 AM

To be honest I dont have much experience in this case but 

Any ACL use for QoS or CoPP must be only permit not deny'

The traffic match permit it will control by CoPP not match permit it will pass without any limitations.

MHM

0 Helpful

RemsoO
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2024 06:30 AM

Any possibility that it could be platform specific ? Or maybe older software ? I can't find any documentation relating to how ACEs should be used with CoPP. ( except for the old ones )  plus my boss keeps saying that it has already been done. Altough I begin to doubt it by seeing a few topics saying the same as you. So why does the same setup works on a small old 890 series CPE ?

Capture d'écran 2024-05-29 152640.png

MHM Cisco World
VIP
VIP
In response to RemsoO

‎05-29-2024 06:36 AM

Good reference' I will make double check

Thanks for waiting 

MHM

0 Helpful

RemsoO
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2024 06:59 AM

Found that in the IOS-XE Release 3S (the right one) manual :

Capture d'écran 2024-05-29 155653.png

 Here we can notice quite some deny, but it is only about egress icmp for Unreachables. Above it there is what i want to achieve but with telnet, sadly it looks perfectly similar to what I did...

MHM Cisco World
VIP
VIP
In response to RemsoO

‎05-29-2024 07:41 AM

No it not same

There is match-any in your code and that maybe explain why it match both deny and permit.

Remove match-any from your code 

MHM

0 Helpful

RemsoO
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2024 08:11 AM

Still the same behavior, ran the test with an even older 7600 and it works. Guess it is cisco platform joys.

I also found this to illustrate what I was saying earlier about Telnet

Capture d'écran 2024-05-29 170615.png

0 Helpful

MHM Cisco World
VIP
VIP
In response to RemsoO

‎05-29-2024 08:42 AM

can I see last code you use 

MHM

0 Helpful

RemsoO
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2024 11:49 PM

class-map ICMP
 match access-group name ICMP

policy-map COPP
 class ICMP
  police cir 8000
  conform-action transmit
  exceed-action drop
  violate-action drop

Still the same behavior, however we can actually use denies with COPP with some other equipment, but I am still looking for an explanation of how I am supposed to provide a bypass for this control plane policy to my trusted hosts ?

0 Helpful

MHM Cisco World
VIP
VIP
In response to RemsoO

‎05-30-2024 12:01 AM

are you run service-policy code ? without it there is no meaning of Policy map 

MHM

0 Helpful

RemsoO
Level 1
Level 1
In response to MHM Cisco World

‎05-30-2024 12:44 AM

Yep, control-plane -> service-policy input COPP otherwise would not be able to see packets matching those class-map

0 Helpful
Customers Also Viewed These Support Documents