06-18-2014 06:23 PM - edited 03-07-2019 07:46 PM
In every document I have found, it is saying that I can do the following:
Device(config)# access-list 141 deny icmp 10.0.0.1 0.0.0.255 any port-unreachable ! Rate-limit all other ICMP traffic. Device(config)# access-list 141 permit icmp any any port-unreachable Device(config)# class-map icmp-class Device(config-cmap)# match access-group 141 Device(config-cmap)# exit Device(config)# policy-map control-plane-out ! Drop all traffic that matches the class "icmp-class." Device(config-pmap)# class icmp-class Device(config-pmap-c)# drop Device(config-pmap-c)# exit Device(config-pmap)# exit Device(config)# control-plane ! Define aggregate control plane service for the active route processor. Device(config-cp)# service-policy output control-plane-out Device(config-cp)# end
However, when I try to create a policy-map to drop traffic for a specific class, the "drop" command just isn't there. I think its only available in "access-control" type of policy-map. The "access-control" type of policy-map requires "access-control" type of class-map. When I create a "access-control" type class-map, it won't let me match on access-lists.
It appears the two features are mutually exclusive.
Can anyone shed some light on this? I'm just trying to block IP packets of TTL 0 and 1 from reaching my control plane.
Solved! Go to Solution.
06-19-2014 12:14 AM
Hi
I have done it this way.
police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
/Mikael
06-18-2014 09:31 PM
Hi LA,
First thing I would like to catch you attention is that you CoPP should be input.
Which device are we talking about?
I can do it just fine on my 1841 router
ip access-list extended BLOCK_TTL_ACL
permit ip any any ttl eq 1
class-map match-all BLOCK_TTL_1_CM
match access-group name BLOCK_TTL_ACL
policy-map BLOCK_TTL_1_PM
class BLOCK_TTL_1_CM
drop
control-plane
service-policy input BLOCK_TTL_1_PM
R3#show policy-map control-plane
Control Plane
Service-policy input: BLOCK_TTL_1_PM
Class-map: BLOCK_TTL_1_CM (match-all)
146 packets, 10441 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name BLOCK_TTL_ACL
drop
Class-map: class-default (match-any)
29 packets, 3288 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
06-18-2014 09:41 PM
Thanks for your reply. I can't get past the part where
I tried this on 15.4(1)S1 on Cisco IOS XE Software, Version 03.11.01.S. I also tried this on ASR1001. And I tried this on Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16),.
The part where I issue the 'drop' command on the class in the policy-map is where I'm having trouble. The 'drop' command doesn't seem to be available on any routers I have access to.
Device(config)# policy-map control-plane-in Device(config-pmap)# class icmp-class Device(config-pmap-c)# drop <---- (command isn't there)
06-19-2014 12:14 AM
Hi
I have done it this way.
police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
/Mikael
06-19-2014 10:05 AM
This is perfect. I totally forgot you can drop on conform.
Thank you!
03-29-2018 09:17 PM
Mikael,
In your example:
police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
is there a reason for these values (32000, 1500, & 1500) or are they just chosen randomly, as all actions are going to drop traffic no matter what?
Thanks,
JKC
08-10-2016 04:40 PM
I had this issue on Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) and found this post.
I just wanted to note that the only devices I have that have the 'drop' command you are looking for are my 2911s running Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1).
Great answer that it can be done in another way, but that drop command does actually exist depending on your IOS and device. I did some research and wasn't able to nail down when the command was introduced.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide