06-18-2014 06:23 PM - edited 03-07-2019 07:46 PM
In every document I have found, it is saying that I can do the following:
Device(config)# access-list 141 deny icmp 10.0.0.1 0.0.0.255 any port-unreachable ! Rate-limit all other ICMP traffic. Device(config)# access-list 141 permit icmp any any port-unreachable Device(config)# class-map icmp-class Device(config-cmap)# match access-group 141 Device(config-cmap)# exit Device(config)# policy-map control-plane-out ! Drop all traffic that matches the class "icmp-class." Device(config-pmap)# class icmp-class Device(config-pmap-c)# drop Device(config-pmap-c)# exit Device(config-pmap)# exit Device(config)# control-plane ! Define aggregate control plane service for the active route processor. Device(config-cp)# service-policy output control-plane-out Device(config-cp)# end
However, when I try to create a policy-map to drop traffic for a specific class, the "drop" command just isn't there. I think its only available in "access-control" type of policy-map. The "access-control" type of policy-map requires "access-control" type of class-map. When I create a "access-control" type class-map, it won't let me match on access-lists.
It appears the two features are mutually exclusive.
Can anyone shed some light on this? I'm just trying to block IP packets of TTL 0 and 1 from reaching my control plane.
Solved! Go to Solution.
06-19-2014 12:14 AM
Hi
I have done it this way.
police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
/Mikael
06-18-2014 09:31 PM
Hi LA,
First thing I would like to catch you attention is that you CoPP should be input.
Which device are we talking about?
I can do it just fine on my 1841 router
ip access-list extended BLOCK_TTL_ACL
permit ip any any ttl eq 1
class-map match-all BLOCK_TTL_1_CM
match access-group name BLOCK_TTL_ACL
policy-map BLOCK_TTL_1_PM
class BLOCK_TTL_1_CM
drop
control-plane
service-policy input BLOCK_TTL_1_PM
R3#show policy-map control-plane
Control Plane
Service-policy input: BLOCK_TTL_1_PM
Class-map: BLOCK_TTL_1_CM (match-all)
146 packets, 10441 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name BLOCK_TTL_ACL
drop
Class-map: class-default (match-any)
29 packets, 3288 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
06-18-2014 09:41 PM
Thanks for your reply. I can't get past the part where
I tried this on 15.4(1)S1 on Cisco IOS XE Software, Version 03.11.01.S. I also tried this on ASR1001. And I tried this on Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16),.
The part where I issue the 'drop' command on the class in the policy-map is where I'm having trouble. The 'drop' command doesn't seem to be available on any routers I have access to.
Device(config)# policy-map control-plane-in Device(config-pmap)# class icmp-class Device(config-pmap-c)# drop <---- (command isn't there)
06-19-2014 12:14 AM
Hi
I have done it this way.
police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
/Mikael
06-19-2014 10:05 AM
This is perfect. I totally forgot you can drop on conform.
Thank you!
03-29-2018 09:17 PM
Mikael,
In your example:
police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
is there a reason for these values (32000, 1500, & 1500) or are they just chosen randomly, as all actions are going to drop traffic no matter what?
Thanks,
JKC
08-10-2016 04:40 PM
I had this issue on Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) and found this post.
I just wanted to note that the only devices I have that have the 'drop' command you are looking for are my 2911s running Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1).
Great answer that it can be done in another way, but that drop command does actually exist depending on your IOS and device. I did some research and wasn't able to nail down when the command was introduced.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: