cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1379
Views
20
Helpful
4
Replies

control plane policing and protection

Hello everyone,

 

Once again i am a bit confused and ask for your help.

 

With regards to control plane policing, i was wondering if is it a way to block, as an example, telnet traffic, using a control plane policy map, and let only one host access the device. i do not want to set an access list on the interface. 

i need to mention that i cant edit the class-default...(or at least i dont know)

As an example:

access-list 101 permit tcp host 10.1.99.1 any eq telnet
access-list 101 deny tcp any any eq telnet

!

class-map match-all telnet-class
match access-group 101
!
policy-map cp-in
class telnet-class
police 1000000 conform-action transmit exceed-action drop

 

Now the second question is:

in this documentation found here: https://tinyurl.com/38bsk24r why the access 140 is using deny statement and not permit?

! Allow 10.1.1.1 trusted host traffic.
Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 
! Allow 10.1.1.2 trusted host traffic. 
Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 
! Rate-limit all other Telnet traffic.
Router(config)# access-list 140 permit tcp any any eq telnet
! Define class-map "telnet-class."
Router(config)# class-map telnet-class 
Router(config-cmap)# match access-group 140
Router(config-cmap)# exit
Router(config)# policy-map control-plane-in
Router(config-pmap)# class telnet-class
Router(config-pmap-c)# police 80000 conform transmit exceed drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
! Define control plane service for the active route processor.
Router(config)# control-plane
Router(config-cp)# service-policy input control-plane-in
Router(config-cp)# end

thank you in advance! 

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @DragosMariusAvram66611 ,

Control Plane Policing uses modular QoS  objects to define how control plane traffic  is sent to main CPU of the device.

CPP is intended to protect the node central CPU from Denial of service attacks.

In your config example we see:

The extended ACL 140 is used to define what traffic should be policed the two hosts with deny statement are considered trustable sources and they are not limited and you can use them for example to get the output of show tech-support.

All the other possible telnet sources are rate limited policed to 80 kbps

Hope to help

Giuseppe

 

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

Are you looking to classify or deny, most of the use control plane to clasify the traffic with priority as per i know.

If you looking to deny use VTY Line with ACL is good method for practice.

 

Example: Configuring Control Plane Policing on Input Telnet Traffic  - this example self explanatory already.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @DragosMariusAvram66611 ,

Control Plane Policing uses modular QoS  objects to define how control plane traffic  is sent to main CPU of the device.

CPP is intended to protect the node central CPU from Denial of service attacks.

In your config example we see:

The extended ACL 140 is used to define what traffic should be policed the two hosts with deny statement are considered trustable sources and they are not limited and you can use them for example to get the output of show tech-support.

All the other possible telnet sources are rate limited policed to 80 kbps

Hope to help

Giuseppe

 

i do not want to set an access list on the interface. <<-
If you talk about the L3SW, even if you config ACL under the SVI the traffic pass 
through SVI will filter

the traffic toward SVI will not affect by ACL, here we need CoPP or as @balaji.bandi suggest config access-group under VTY for telnet.

also there are other use of CoPP is protect CPU from high traffic DDoS

 

below link for use CoPP for control ICMP rate in NSK SW.

https://community.cisco.com/t5/networking-documents/icmp-ping-drops-when-pinging-from-nexus-7000/ta-p/3125996

Review Cisco Networking for a $25 gift card