Control Plane Policing Practicalities...

Unanswered Question
Jan 7th, 2009

Hi,

According to the following:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html

in order to help tighten a CoPP Policy:

"...Step 3. Review Identified Packets and Begin to Filter Access to the Route Processor

... The "permit ip any any" access-list entry will log a number of packet matches. Some form of analysis will be required to determine the exact nature of the unclassified packets."

Has anyone any idea how determine what kind of traffic is matching on the catchall class i.e 'permit ip any any'. In other words, define 'some form of analysis' mentioned above?

Any help appreciated.

Thanks,

Mark

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Wed, 01/07/2009 - 08:11

I think you can add "permit ip any any log" then system should write a log message when there is a packet match this entry. You can check by "show log" if the logging buffer is turned on.

UTVi-NetAdmin Wed, 01/07/2009 - 08:20

Hi Kevin,

Thanks for the response.

I get the following in 12.4(21a)i.e c7200-ik9s-mz.124-21a.bin on 7204VXR

ROUTER(config-ext-nacl)#9 permit tcp any 192.168.0.0 0.0.1.255 eq telnet log

class-map CoPP-post-undesirable : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map CoPP-post-undesirable will not work properly

ROUTER(config-ext-nacl)#

I may be wrong here, but, from what I can see in the doc, I may need Control Plane Logging:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_cpl.html

Seems to require a 12.4T image also, going by Feature Navigator.

I hope I'm wrong (and I probably am...)

Thanks,

Mark

Yudong Wu Wed, 01/07/2009 - 08:29

Hi Mark,

You are right. It looks like ACL for CoPP is handled in a different way. The feature you found should work for you.

I am not aware of any other way to capture the packet punted to CPU in 7204 router. But in 7600 router we could do a inband SPAN to capture those packets.

Thanks for pointing this out.

Kevin

Actions

This Discussion