Re: Dropping ip fragments using control plane from Radioactive Frog on 2010-10-03 (Ccielab archives 10/2010)

From: Radioactive Frog <pbhatkoti_at_gmail.com>
Date: Mon, 4 Oct 2010 11:35:59 +1100

Option#2 is the right one.

FROG(config-ext-nacl)#permit ip any any option ?
  <0-255> IP Options value
  add-ext Match packets with Address Extension Option (147)
  any-options Match packets with ANY Option
  com-security Match packets with Commercial Security Option (134)
  dps Match packets with Dynamic Packet State Option (151)
  encode Match packets with Encode Option (15)
  eool Match packets with End of Options (0)
  ext-ip Match packets with Extended IP Option (145)
  ext-security Match packets with Extended Security Option (133)
  finn Match packets with Experimental Flow Control Option (205)
  imitd Match packets with IMI Traffic Desriptor Option (144)
  lsr Match packets with Loose Source Route Option (131)
  mtup Match packets with MTU Probe Option (11)
  mtur Match packets with MTU Reply Option (12)
  no-op Match packets with No Operation Option (1)
  nsapa Match packets with NSAP Addresses Option (150)
  record-route Match packets with Record Route Option (7)
  router-alert Match packets with Router Alert Option (148)
  sdb Match packets with Selective Directed Broadcast Option (149)
  security Match packets with Basic Security Option (130)
  ssr Match packets with Strict Source Routing Option (137)
  stream-id Match packets with Stream ID Option (136)
  timestamp Match packets with Time Stamp Option (68)
  traceroute Match packets with Trace Route Option (82)
  ump Match packets with Upstream Multicast Packet Option (152)
  visa Match packets with Experimental Access Control Option (142)
  zsu Match packets with Experimental Measurement Option (10)

FROG#sh run | sec control-plane
control-plane cef-exception
service-policy input CP
control-plane
FROG#
FROG#show control-plane cef-exception features
Control plane cef-exception path features :

--------------------------------------------------------
Control-plane Policing activated Mar 01 2002 00:0

--------------------------------------------------------

FROG#

On Mon, Oct 4, 2010 at 7:59 AM, imran mohammed <imran4cisco_at_gmail.com>wrote:

> Hi All,
>
>
> Which is correct
>
> *configuration 1:*
>
> ip access-list extended fragment
> permit ip any any fragments
> !
> class-map match-all fragment
> match access-group name fragment
> !
> policy-map CP
> class fragment
> drop
> !
> control-plane cef-exception
>
> service-policy input CP
>
>
>
> *configuration 2:*
>
> ip access-list extended fragment
> permit ip any any fragments
> !
> class-map match-all fragment
> match access-group name fragment
> !
> policy-map CP
> class fragment
> drop
> !
> control-plane transit
>
> service-policy input CP
>
>
> I feel this should be control-plane host
>
> Regards
>
> imran
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 04 2010 - 11:35:59 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:05 ART