Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hello,I have configured the Control Plane CoPP Port-Filtering (Cppr) feature on a Cisco ISR 890 Series Router running IOS 15.8(3)M9 to stop the router from responding with closed status on all closed or non-existent TCP/UDP ports.Here is the configur...
Hello,I am trying to find a way to make my routers not respond at all (no ICMP unreachable or closed responses) on closed or non-existent TCP and UDP ports.By default, Cisco routers respond with a closed status on all closed or non-existent ports whe...
Hello,I have encountered an issue with two routers showing UDP port 53 (DNS) open on their outside interfaces and I cannot determine why.Devices and Software Versions:Cisco ISR4431/K9 – IOS XE 16.09.07Cisco ASR1001-X – IOS XE 16.09.08Symptoms:When I ...
Hi,I have a Cisco ASR 1001-X with adventerprise running Cisco IOS XE Software Version 16.06.06.Following are the router configs.The netflow output for interfaces BDI3194 and interface BDI1208 show no entries and I have confirmed traffic and packets a...
Hi,I have two Cisco ISR 897VA routers with advanced IP services IOS on each site. Both the routers have one WAN/Outside interface with only one IP address assigned. Both routers are connected through IKEv2 Site to Site VPN tunnel and one of these rou...
I was able to resolve this issue by modifying the class-map to explicitly exclude DHCP ports. The updated configuration is:class-map type port-filter match-all closed
match closed-ports
match not port udp 67 68 After applying this change, the route...
After further investigation, I can confirm that there was no issue with the routers themselves. Neither the ISR4431 nor the ASR1001-X had UDP port 53 or any DNS service open.The behavior I was seeing was caused by my ISP, Comcast, intercepting traffi...
Only this one line is appearing in the config and that too is being used in dhcp poolshow running-config | include dns
dns-server 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1
To exclude or pass DHCP portsIf I add another port-filter class map for dhcp ports, the port-filter policy map does not give any police option under that classclass-map type port-filter match-any open
match port udp 67 68
policy-map type port-filter...
Changed the group on both proposals to unique group like 19 and 20 resolved the issue of conflict and mismatch. crypto ikev2 proposal FlexVPN
encryption aes-cbc-128 aes-cbc-256 aes-cbc-192
integrity sha256
group 19
crypto ikev2 proposal ikev2prop...
