Re: control plane policing

From: Victor Cappuccio (vcappuccio@gmail.com)
Date: Fri Feb 27 2009 - 21:01:25 ARST

• Next message: mahmoud genidy: "Re: Fallback Bridging"
• Previous message: libone mhlanga: "IEWB-RS"
• Maybe in reply to: GAURAV MADAN: "control plane policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Most of the traffic travels through the router via the data plane, but a RP
must handle some things, like routing updates, or network management
traffic, Control Plane Policing (CPP) (or CoPP for the 6500
implementation)), is a dedicated control plane and can be configured with
MQC to provide filtering and policing.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html

Router>en
Router#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int f1/0
R2(config-if)#ip add 10.1.12.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#
R2(config)#
R2(config)#do ping 10.1.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/58/116 ms
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#ip access-list ex 101
R2(config-ext-nacl)#permit icmp any any
R2(config-ext-nacl)#exit
R2(config)#class-map ICMP
R2(config-cmap)#ma access-group 101
R2(config-cmap)#exit
R2(config)#policy-map TEST
R2(config-pmap)#class ICMP
R2(config-pmap-c)#drop
R2(config-pmap-c)#exit
R2(config-pmap)#control-plane
R2(config-cp)#?
Control Plane configuration commands:
  exit Exit from control-plane configuration mode
  no Negate or set default values of a command
  service-policy Configure QOS Service Policy

R2(config-cp)#service-policy in TEST
R2(config-cp)#do show pol
*Feb 28 00:53:03.359: %CP-5-FEATURE: Control-plane Policing feature enabled
on
ontrol plane aggregate path
icy-map
R2(config-cp)#do show policy-map
  Policy Map TEST
    Class ICMP
      drop

R2(config-cp)#no service-policy in TEST
R2(config-cp)#do deb ip icmp
ICMP packet debugging is on
R2(config-cp)#
*Feb 28 00:53:47.287: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
*Feb 28 00:53:47.351: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
*Feb 28 00:53:47.403: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
*Feb 28 00:53:47.411: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
*Feb 28 00:53:47.419: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
R2(config-cp)#
R2(config-cp)#
R2(config-cp)#control-plane
R2(config-cp)#service-policy in TEST
R2(config-cp)#
R2(config-cp)#
R2(config-cp)#
*Feb 28 00:53:56.139: %CP-5-FEATURE: Control-plane Policing feature enabled
on
ontrol plane aggregate path

R2(config-cp)#
R2(config-cp)#do deb ip packet
IP packet debugging is on
R2(config)#do show policy-map control-plane all
 Control Plane

  Service-policy input: TEST

    Class-map: ICMP (match-all)
      15 packets, 1710 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 101
      drop

    Class-map: class-default (match-any)
      14 packets, 1420 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
R2(config)#!We silently drop ICMP Traffic, because of the policy rule

These amazing feature can be used to limit for example SYN desalinated to
the RP - Just a thought -

Thanks,

On Fri, Feb 27, 2009 at 6:19 PM, Carlos Trujillo Jimenez <
nergal888@hotmail.com> wrote:

> Gaurav.
>
>
>
> COPP applyes to traffic destined to the control plane of the device, for
> example to the IP address of its interfaces.
>
>
>
> While the policy map applied to the interface, you are Policing the traffic
> passing through the device (from one interface to the other).
>
>
>
> Hope it helps.
>
>
>
>
>
> > Date: Fri, 27 Feb 2009 20:54:20 +0530
> > Subject: control plane policing
> > From: gauravmadan1177@gmail.com
> > To: ccielab@groupstudy.com
> >
> > Hi All
> >
> > I was hit badly while i was checking out solution of one of work labs .
> > The task says that Ping from IP x.x.x.x to R1 interface f0/0 shd be
> limited
> > to 8 kb/sec and excess to be dropped .
> >
> > I configured as follows :
> >
> > ip access-li ext TEST
> > perm icmp host x.x.x.x any echo
> > !
> > class-map TEST
> > match access-group name TEST
> > !
> > policy-map TEST
> > class TEST
> > police 8000 conform-action Tx exceed-action drop
> > !
> > int f0/0
> > service-poli in TEST
> > !
> >
> > Solution said
> > ****************
> >
> > control plane
> > service-policy in TEST
> >
> > Was i wrong in this ? Can someone explain abt control plane policing and
> > when does it come in play ?
> > Regards
> > Gaurav Madan.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> _________________________________________________________________
> Invite your mail contacts to join your friends list with Windows Live
> Spaces.
> It's easy!
>
> http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&m
> kt=en-us<http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&m%0Akt=en-us>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Victor Cappuccio
CCIE R/S# 20657
CCSI# 30452
www.anetworkerblog.com
www.linkedin.com/in/vcappuccio
Blogs and organic groups at http://www.ccie.net

• Next message: mahmoud genidy: "Re: Fallback Bridging"
• Previous message: libone mhlanga: "IEWB-RS"
• Maybe in reply to: GAURAV MADAN: "control plane policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:13 ARST