Re: CoPP question

OK. It isn't like that. Each protocol has it's own policing to be
defined, but that is not question. Question is defining traffic with
ACLs for given scenario.

On Thu, Mar 25, 2010 at 11:29 AM, eseosa <eseosa.ehiwe_at_gmail.com> wrote:
> if the task asks you to do control plane policing for all input
> packets , the solution below should suffice:
>
> class-map POLICE
> match any
>
> policy-map COPP
> class POLICE
> police rate xxx
>
> control-plane
> service-policy input COPP
>
>
> On 3/25/10, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:
>> 10.1.12.0/24
>> R1 (PE) ----------eigrp------------ R2 (PE)
>> | |
>> | |
>> ospf ospf
>> | |
>> | |
>> CE CE
>>
>>
>> OK. Scenario is like this. MPLS core has EIGRP running. PE routers are
>> running MPBGP, and running OSPF with CE routers.
>> Task is that R2 has control-plane policing of all INPUT packets.
>>
>> R1:
>> Lo0 - 1.1.1.1
>> Lo1 - 11.11.11.11 (used for sham-link)
>> Fa0/0 (to R2) - 10.1.12.1/24
>>
>> R2:
>> Lo - 2.2.2.2
>> Lo1 - 11.11.11.22 (used for sham link)
>> Fa0/0 (to R1) - 10.1.12.2/24
>>
>> ACLs to define interesting traffic coming INTO R2's control-plane:
>>
>> !
>> ip access-list extended BGP
>> permit tcp host 10.1.12.1 host 10.1.12.2 eq bgp
>> permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp
>> permit tcp host 10.1.12.1 eq bgp host 10.1.12.2
>> permit tcp host 1.1.1.1 eq bgp host 2.2.2.2
>> ip access-list extended EIGRP
>> permit eigrp host 10.1.12.1 any
>> permit eigrp any host 224.0.0.10
>> ip access-list extended LDP
>> permit udp host 1.1.1.1 any eq 646
>> permit udp host 10.1.12.1 any eq 646
>> permit tcp host 1.1.1.1 any eq 646
>> permit tcp host 10.1.12.1 any eq 646
>> ip access-list extended OSPF
>> permit ospf any host 10.1.12.2
>> permit ospf any host 224.0.0.5
>> permit ospf any host 224.0.0.6
>> !
>>
>> This is what it is matched:
>>
>> Extended IP access list BGP
>> 10 permit tcp host 10.1.12.1 host 10.1.12.2 eq bgp
>> 20 permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp (63 matches)
>> 30 permit tcp host 10.1.12.1 eq bgp host 10.1.12.2
>> 40 permit tcp host 1.1.1.1 eq bgp host 2.2.2.2
>> Extended IP access list EIGRP
>> 10 permit eigrp host 10.1.12.1 any (17727 matches)
>> 20 permit eigrp any host 224.0.0.10 (437 matches)
>> Extended IP access list LDP
>> 5 permit udp host 1.1.1.1 any eq 646
>> 10 permit udp host 10.1.12.1 any eq 646 (18757 matches)
>> 15 permit tcp host 1.1.1.1 any eq 646 (117 matches)
>> 20 permit tcp host 10.1.12.1 any eq 646
>> Extended IP access list OSPF
>> 30 permit ospf any host 10.1.12.2
>> 35 permit ospf any host 224.0.0.5 (337 matches)
>> 40 permit ospf any host 224.0.0.6
>>
>> So, my question: is above statements enough? Is something too much,
>> since not all statements are matched?
>> On Cisco site I read that routing protocols should have exceed action
>> transmit? Is that the case? That means no policing should be done on
>> such traffic?
>> Let's say that CE routers are also customer's iBGP routers and iBGP
>> sessions are established using reachability provided by customer's
>> OSPF, and connectivity for OSPF between two customer's site is
>> provided by MPLS VPN. Does the iBGP traffic between CE routers also
>> gets to R2 control-.plane for processing or is it just traverse
>> traffic. If R2 has to look into it's routing table for that traffic is
>> it also coming to CP of R2 or not?
>>
>> Thanks
>>
>> Regards
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Warm Regards,
>
> Eseosa
> CCIE #23782
> "The Christian is a person who makes it easy for others to believe in
> God." - Robert M. McCheyne

Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 25 2010 - 11:32:14 ART