cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1220
Views
0
Helpful
4
Replies

Block control-plane traffic (l2 traceroute)?

Ivanleonel
Level 1
Level 1

Hi,

I want to deny L2 traceroute traffic as stated in this article (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-l2-traceroute)

However, none of my 3560g/3750g switches has drop command. Is there possibility to block this kind of traffic?

 

I have tried on these IOS:

15.0(2)SE

15.0(2)SE4

12.2(40)SE

12.2(46)SE

 

 

3560g(config)#access-list 150 permit udp any any eq 2228

3560g(config)#class-map match-all drop-l2trace-class

3560g(config-cmap)# match access-group 150

3560g(config-cmap)#exit

3560g(config)#policy-map control-plane-policy

3560g(config-pmap)# class drop-l2trace-class

3560g(config-pmap-c)#?

Policy-map class configuration commands:

  exit            Exit from QoS class action configuration mode

  no              Negate or set default values of a command

  police          Police

  service-policy  Configure QoS Service Policy

  set             Set QoS values

  trust           Set trust value for the class

  <cr>

 

3560g(config-pmap-c)#drop

                   ^

% Invalid input detected at '^' marker.

4 Replies 4

What about 3750g? It has commands exept drop one.

 

For example I can type something like that

 

3750g(config)#access-list 150 permit udp any any eq 2228
3750g(config)#class-map match-all drop-l2trace-class
3750g(config-cmap)# match access-group 150
3750g(config-cmap)#exit
3750g(config)#policy-map control-plane-policy
3750g(config-pmap)# class drop-l2trace-class
3750g(config-pmap-c)#police 50000 30000 exceed-action drop
3750g(config-pmap-c)#

Even if you create the policy matching your class, you won't be able to apply it to control plane, 3750g doesn't support CoPP too:

3750-2EF-1(config)#mls qos ?
aggregate-policer Named aggregate policer
map qos map keyword
queue-set Choose a queue set for this queue
rewrite Rewrite Packet/Frame
srr-queue Configure SRR receive queues
<cr>

3750-2EF-1(config)#control-plane ?
% Unrecognized command
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750G-48TS 12.2(55)SE12 C3750-IPBASEK9-M

Neither the 3750X has CoPP feature, but L2 traceroute can be disabled at CLI level:

F241.15.18-3700-8(config)#no l2 ?
  traceroute  Enable layer 2 traceroute support

F241.15.18-3700-8#show ver
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E8, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Fri 15-Mar-19 09:00 by prod_rel_team
....
cisco WS-C3750X-48 (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1736Z128

 

That is sad. I have a bunch of these. I understand it is old, but it does the job well. 

Looks like the only workaround is to block this kind of traffic with interface ACL.

Thank you anyway.