Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1345
Views
20
Helpful
4
Replies

control plane policing and protection

Go to solution
DragosMariusAvram66611
Level 1
Level 1

‎06-26-2022 01:17 AM

Hello everyone,

 

Once again i am a bit confused and ask for your help.

 

With regards to control plane policing, i was wondering if is it a way to block, as an example, telnet traffic, using a control plane policy map, and let only one host access the device. i do not want to set an access list on the interface. 

i need to mention that i cant edit the class-default...(or at least i dont know)

As an example:

access-list 101 permit tcp host 10.1.99.1 any eq telnet
access-list 101 deny tcp any any eq telnet

!

class-map match-all telnet-class
match access-group 101
!
policy-map cp-in
class telnet-class
police 1000000 conform-action transmit exceed-action drop

 

Now the second question is:

in this documentation found here: https://tinyurl.com/38bsk24r why the access 140 is using deny statement and not permit?

! Allow 10.1.1.1 trusted host traffic.
Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 
! Allow 10.1.1.2 trusted host traffic. 
Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 
! Rate-limit all other Telnet traffic.
Router(config)# access-list 140 permit tcp any any eq telnet
! Define class-map "telnet-class."
Router(config)# class-map telnet-class 
Router(config-cmap)# match access-group 140
Router(config-cmap)# exit
Router(config)# policy-map control-plane-in
Router(config-pmap)# class telnet-class
Router(config-pmap-c)# police 80000 conform transmit exceed drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
! Define control plane service for the active route processor.
Router(config)# control-plane
Router(config-cp)# service-policy input control-plane-in
Router(config-cp)# end

thank you in advance! 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-26-2022 06:30 AM - edited ‎06-26-2022 06:31 AM

Hello @DragosMariusAvram66611 ,

Control Plane Policing uses modular QoS  objects to define how control plane traffic  is sent to main CPU of the device.

CPP is intended to protect the node central CPU from Denial of service attacks.

In your config example we see:

The extended ACL 140 is used to define what traffic should be policed the two hosts with deny statement are considered trustable sources and they are not limited and you can use them for example to get the output of show tech-support.

All the other possible telnet sources are rate limited policed to 80 kbps

Hope to help

Giuseppe

 

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-26-2022 04:01 AM

Are you looking to classify or deny, most of the use control plane to clasify the traffic with priority as per i know.

If you looking to deny use VTY Line with ACL is good method for practice.

 

Example: Configuring Control Plane Policing on Input Telnet Traffic  - this example self explanatory already.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-26-2022 06:30 AM - edited ‎06-26-2022 06:31 AM

Hello @DragosMariusAvram66611 ,

Control Plane Policing uses modular QoS  objects to define how control plane traffic  is sent to main CPU of the device.

CPP is intended to protect the node central CPU from Denial of service attacks.

In your config example we see:

The extended ACL 140 is used to define what traffic should be policed the two hosts with deny statement are considered trustable sources and they are not limited and you can use them for example to get the output of show tech-support.

All the other possible telnet sources are rate limited policed to 80 kbps

Hope to help

Giuseppe

 

Go to solution
MHM Cisco World
VIP
VIP

‎06-26-2022 06:48 AM

i do not want to set an access list on the interface. <<-
If you talk about the L3SW, even if you config ACL under the SVI the traffic pass through SVI will filter

the traffic toward SVI will not affect by ACL, here we need CoPP or as @balaji.bandi suggest config access-group under VTY for telnet.

also there are other use of CoPP is protect CPU from high traffic DDoS

 

below link for use CoPP for control ICMP rate in NSK SW.

https://community.cisco.com/t5/networking-documents/icmp-ping-drops-when-pinging-from-nexus-7000/ta-p/3125996

Go to solution
DragosMariusAvram66611
Level 1
Level 1

‎06-26-2022 10:43 PM

Hello,

i found a similar solution to my problem here :https://community.cisco.com/t5/network-management/restricting-telnet-ssh-access-to-loopback-address/td-p/1306161

 

Thank you all!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card