Re: control plane policing

From: ALL From_NJ (all.from.nj@gmail.com)
Date: Fri Feb 27 2009 - 14:58:49 ARST

• Next message: Sadiq Yakasai: "Re: control plane policing"
• Previous message: nhatphuc: "Re: Rotary Command"
• Maybe in reply to: GAURAV MADAN: "control plane policing"
• Next in thread: Sadiq Yakasai: "Re: control plane policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The key words here was "to the interface of R1" ... in other words, to the
router itself.

Might be helpful if your lab said something more like:

"Admin bob is worried about icmp DOS attacks from hosts off of his f0/0
port. Limit all traffic coming from this interface to the router at a max
of 8k if to be processed by the router ... "

Traffic that the router must process and respond to, uses the CPU.

This traffic coming to the router can DOS the router; as the example given
with icmp. If the CPU AKA, 'control-plane', is too busy answering requests,
it may begin to delay and or drop packets, requests, etc...

Here is a link (watch for the word wrap):
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_policn
g_ps6350_TSD_Products_Configuration_Guide_Chapter.html

BTW - this link was hard for me to find ;-( ... I need to keep working on
my lookup skills ..., something tells me I might have to be good at this.
;-)

From the link above:

Benefits of Control Plane Policing

Configuring the Control Plane Policing feature on your Cisco router or
switch provides the following benefits:

Protection against DoS attacks at infrastructure routers and switches
QoS control for packets that are destined to the control plane of Cisco
routers or switches
Ease of configuration for control plane policies
Better platform reliability and availability

HTH,

Andrew Lee Lissitz

On Fri, Feb 27, 2009 at 10:24 AM, GAURAV MADAN
<gauravmadan1177@gmail.com>wrote:

> Hi All
>
> I was hit badly while i was checking out solution of one of work labs .
> The task says that Ping from IP x.x.x.x to R1 interface f0/0 shd be limited
> to 8 kb/sec and excess to be dropped .
>
> I configured as follows :
>
> ip access-li ext TEST
> perm icmp host x.x.x.x any echo
> !
> class-map TEST
> match access-group name TEST
> !
> policy-map TEST
> class TEST
> police 8000 conform-action Tx exceed-action drop
> !
> int f0/0
> service-poli in TEST
> !
>
> Solution said
> ****************
>
> control plane
> service-policy in TEST
>
> Was i wrong in this ? Can someone explain abt control plane policing and
> when does it come in play ?
> Regards
> Gaurav Madan.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
Andrew Lee Lissitz
all.from.nj@gmail.com
Blogs and organic groups at http://www.ccie.net

• Next message: Sadiq Yakasai: "Re: control plane policing"
• Previous message: nhatphuc: "Re: Rotary Command"
• Maybe in reply to: GAURAV MADAN: "control plane policing"
• Next in thread: Sadiq Yakasai: "Re: control plane policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:13 ARST