Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8480
Views
10
Helpful
6
Replies

Using policy-map to drop traffic for control plane policing

Go to solution
LA-Engineer
Level 1
Level 1

‎06-18-2014 06:23 PM - edited ‎03-07-2019 07:46 PM

In every document I have found, it is saying that I can do the following:

Device(config)# access-list 141 deny icmp 10.0.0.1 0.0.0.255 any port-unreachable
 
! Rate-limit all other ICMP traffic. 
Device(config)# access-list 141 permit icmp any any port-unreachable
Device(config)# class-map icmp-class
 
Device(config-cmap)# match access-group 141
Device(config-cmap)# exit
Device(config)# policy-map control-plane-out
! Drop all traffic that matches the class "icmp-class."
Device(config-pmap)# class icmp-class
Device(config-pmap-c)# drop
Device(config-pmap-c)# exit
Device(config-pmap)# exit
Device(config)# control-plane
! Define aggregate control plane service for the active route processor.
Device(config-cp)# service-policy output control-plane-out
Device(config-cp)# end

 

However, when I try to create a policy-map to drop traffic for a specific class, the "drop" command just isn't there.  I think its only available in "access-control" type of policy-map.  The "access-control" type of policy-map requires "access-control" type of class-map.  When I create a "access-control" type class-map, it won't let me match on access-lists.

 

It appears the two features are mutually exclusive.

 

Can anyone shed some light on this?  I'm just trying to block IP packets of TTL 0 and 1 from reaching my control plane.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mlund
Level 7
Level 7

‎06-19-2014 12:14 AM

Hi

I have done it this way.

  police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
 

/Mikael

View solution in original post

6 Replies 6

Go to solution
Renan Abreu
Cisco Employee
Cisco Employee

‎06-18-2014 09:31 PM

Hi LA,

 

     First thing I would like to catch you attention is that you CoPP should be input.

     Which device are we talking about?

     I can do it just fine on my 1841 router

 

ip access-list extended BLOCK_TTL_ACL
 permit ip any any ttl eq 1

class-map match-all BLOCK_TTL_1_CM
 match access-group name BLOCK_TTL_ACL

policy-map BLOCK_TTL_1_PM
 class BLOCK_TTL_1_CM
   drop

control-plane
 service-policy input BLOCK_TTL_1_PM

 

R3#show policy-map control-plane 
 Control Plane 

  Service-policy input: BLOCK_TTL_1_PM

    Class-map: BLOCK_TTL_1_CM (match-all)
      146 packets, 10441 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name BLOCK_TTL_ACL
      drop

    Class-map: class-default (match-any)
      29 packets, 3288 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

 

0 Helpful

Go to solution
LA-Engineer
Level 1
Level 1
In response to Renan Abreu

‎06-18-2014 09:41 PM

Thanks for your reply.  I can't get past the part where 

I tried this on 15.4(1)S1 on Cisco IOS XE Software, Version 03.11.01.S.  I also tried this on ASR1001.  And I tried this on Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16),.

The part where I issue the 'drop' command on the class in the policy-map is where I'm having trouble.  The 'drop' command doesn't seem to be available on any routers I have access to.

 

Device(config)# policy-map control-plane-in
Device(config-pmap)# class icmp-class
Device(config-pmap-c)# drop <---- (command isn't there)
0 Helpful

Go to solution
mlund
Level 7
Level 7

‎06-19-2014 12:14 AM

Hi

I have done it this way.

  police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
 

/Mikael

Go to solution
LA-Engineer
Level 1
Level 1
In response to mlund

‎06-19-2014 10:05 AM

This is perfect.  I totally forgot you can drop on conform.

 

Thank you!

0 Helpful

Go to solution
jkcollins14_dell
Level 1
Level 1
In response to mlund

‎03-29-2018 09:17 PM

Mikael,

 

In your example:   

 police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop

 

is there a reason for these values (32000, 1500, & 1500) or are they just chosen randomly, as all actions are going to drop traffic no matter what?

 

Thanks,

JKC

 

 

0 Helpful

Go to solution
ronald.stimbert
Level 1
Level 1

‎08-10-2016 04:40 PM

I had this issue on Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) and found this post. 

I just wanted to note that the only devices I have that have the 'drop' command you are looking for are my 2911s running Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1). 

Great answer that it can be done in another way, but that drop command does actually exist depending on your IOS and device. I did some research and wasn't able to nail down when the command was introduced. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card