From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Fri Feb 27 2009 - 15:13:20 ARST
Gaurav,
What you actually configured is data-plane policing, matching transit icmp
traffic (from the host x.x.x.x to any) only.
Step back and have a good look again, I am sure it would eventually become
more obvious :-)
HTH,
Sadiq
On Fri, Feb 27, 2009 at 4:58 PM, ALL From_NJ <all.from.nj@gmail.com> wrote:
> The key words here was "to the interface of R1" ... in other words, to the
> router itself.
>
> Might be helpful if your lab said something more like:
>
> "Admin bob is worried about icmp DOS attacks from hosts off of his f0/0
> port. Limit all traffic coming from this interface to the router at a max
> of 8k if to be processed by the router ... "
>
> Traffic that the router must process and respond to, uses the CPU.
>
> This traffic coming to the router can DOS the router; as the example given
> with icmp. If the CPU AKA, 'control-plane', is too busy answering
> requests,
> it may begin to delay and or drop packets, requests, etc...
>
> Here is a link (watch for the word wrap):
>
> http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_policn
> g_ps6350_TSD_Products_Configuration_Guide_Chapter.html<http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_policn%0Ag_ps6350_TSD_Products_Configuration_Guide_Chapter.html>
>
> BTW - this link was hard for me to find ;-( ... I need to keep working on
> my lookup skills ..., something tells me I might have to be good at this.
> ;-)
>
> From the link above:
>
> Benefits of Control Plane Policing
>
> Configuring the Control Plane Policing feature on your Cisco router or
> switch provides the following benefits:
>
> Protection against DoS attacks at infrastructure routers and switches
> QoS control for packets that are destined to the control plane of Cisco
> routers or switches
> Ease of configuration for control plane policies
> Better platform reliability and availability
>
> HTH,
>
> Andrew Lee Lissitz
>
>
>
>
> On Fri, Feb 27, 2009 at 10:24 AM, GAURAV MADAN
> <gauravmadan1177@gmail.com>wrote:
>
> > Hi All
> >
> > I was hit badly while i was checking out solution of one of work labs .
> > The task says that Ping from IP x.x.x.x to R1 interface f0/0 shd be
> limited
> > to 8 kb/sec and excess to be dropped .
> >
> > I configured as follows :
> >
> > ip access-li ext TEST
> > perm icmp host x.x.x.x any echo
> > !
> > class-map TEST
> > match access-group name TEST
> > !
> > policy-map TEST
> > class TEST
> > police 8000 conform-action Tx exceed-action drop
> > !
> > int f0/0
> > service-poli in TEST
> > !
> >
> > Solution said
> > ****************
> >
> > control plane
> > service-policy in TEST
> >
> > Was i wrong in this ? Can someone explain abt control plane policing and
> > when does it come in play ?
> > Regards
> > Gaurav Madan.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Andrew Lee Lissitz
> all.from.nj@gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:13 ARST