Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
0
Replies

ASR901 control-plane policy

Vladimir Pisarenko
Level 1
Level 1

‎01-15-2015 05:10 AM - edited ‎03-07-2019 10:14 PM

Hi all!

I am trying to implement control-plane policy on ASR 901.

It's done, implemented to the control-plane but it doesn't works.

Here is configuration:

ip access-list extended ACL-Catch-All-IP
 permit tcp any any
 permit udp any any
 permit icmp any any
 permit ip any any
ip access-list extended ACL-DROP
 permit icmp any any fragments
 permit udp any any fragments
 permit tcp any any fragments
 permit ip any any fragments
 permit udp any any eq 1434
ip access-list extended ACL-MGMT
 permit tcp any any eq telnet
 permit tcp any any eq 22
 permit tcp any eq telnet any established
 permit tcp any eq 22 any established
 permit udp any any eq snmp
 permit udp any any eq tftp
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit udp any any eq syslog
 permit udp any any eq ntp
 permit udp any any eq domain
 permit 112 any any
ip access-list extended ACL-NORMAL
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any port-unreachable
 permit icmp any any unreachable
 permit igmp any any
 permit pim any any
 permit udp any any eq pim-auto-rp
 permit gre any any
ip access-list extended ACL-ROUTING
 permit ospf any any
 permit eigrp any any

 


class-map match-all CM-Catch-All-IP
  match access-group name ACL-Catch-All-IP
class-map match-all CM-DROP
  match access-group name ACL-DROP
class-map match-all CM-NORMAL
  match access-group name ACL-NORMAL
class-map match-all CM-MGMT
  match access-group name ACL-MGMT
class-map match-all CM-ROUTING
  match access-group name ACL-ROUTING
!
policy-map PM_CoPP
 class CM-DROP
    police 8000 1500 1500 conform-action drop exceed-action drop
 class CM-ROUTING
    police 1000000 50000 50000 conform-action transmit exceed-action transmit
 class CM-MGMT
    police 100000 20000 20000 conform-action transmit exceed-action drop
 class CM-NORMAL
    police 50000 5000 5000 conform-action transmit exceed-action drop
 class CM-Catch-All-IP
    police 50000 5000 5000 conform-action transmit exceed-action drop
 class class-default
    police 8000 1500 1500 conform-action transmit exceed-action transmit

 

control-plane
 service-policy input PM_CoPP

 

 

Router#sh policy-map control-plane 
 Control Plane 

  Service-policy input: PM_CoPP

    Class-map: CM-DROP (match-all)  
      100 packets, 133400 bytes
      5 minute offered rate 4000 bps, drop rate 0000 bps
      Match: access-group name ACL-DROP
      police:
          cir 8000 bps, bc 1500 bytes, be 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          drop 
        exceeded 0 packets, 0 bytes; actions:
          drop 
        violated 0 packets, 0 bytes; actions:
          drop 
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

    Class-map: CM-ROUTING (match-all)  
      860 packets, 65560 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL-ROUTING
      police:
          cir 1000000 bps, bc 50000 bytes, be 50000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          transmit 
        violated 0 packets, 0 bytes; actions:
          transmit 
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

    Class-map: CM-MGMT (match-all)  
      298 packets, 26408 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL-MGMT
      police:
          cir 100000 bps, bc 20000 bytes, be 20000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          drop 
        violated 0 packets, 0 bytes; actions:
          drop 
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

    Class-map: CM-NORMAL (match-all)  
      103 packets, 171697 bytes
      5 minute offered rate 5000 bps, drop rate 0000 bps
      Match: access-group name ACL-NORMAL
      police:
          cir 50000 bps, bc 1562 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          drop 
        conformed 0000 bps, exceeded 0000 bps

    Class-map: CM-Catch-All-IP (match-all)  
      1457 packets, 108060 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL-Catch-All-IP
      police:
          cir 50000 bps, bc 5000 bytes, be 5000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          drop 
        violated 0 packets, 0 bytes; actions:
          drop 
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

    Class-map: class-default (match-any)  
      84 packets, 14394 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
      police:
          cir 8000 bps, bc 1500 bytes, be 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          transmit 
        violated 0 packets, 0 bytes; actions:
          transmit 
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

 

It matches packets, but conformed counts are 0.

I tried to send fragmented ICMP packets, wich are matched in class CM-DROP and router answered to these ICMPs.

I.e. policy matches packets but don't process it. 

Is it software bug? Version 15.4(3r)S3.

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card