Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
5
Replies

A CoPP and Class Map Question - HURRY! :-)

Go to solution
lamav
Level 8
Level 8

‎07-12-2009 05:38 PM - edited ‎03-06-2019 06:43 AM

Here is my CoPP policy in its entirety. Focus on the ACLs and class map, not the policing at the bottom.

ip access-list extended ROUTING_TRAFFIC

remark CoPP OSPF Traffic Class

permit ospf any any

!

ip access-list extended MANAGEMENT_TRAFFIC

remark CoPP for Network Management Traffic

permit udp host 10.41.248.129 host 64.13.44.104 eq snmp

permit udp host 10.41.168.24 host 64.13.44.104 eq ntp

permit tcp any gt 1024 any eq SSH

permit tcp any eq SSH any gt 1024 established

permit tcp any any eq ftp

permit tcp any any eq ftp-data

permit tcp any any eq 1812

permit tcp any any eq 1813

!

ip access-list extended ICMP_TRAFFIC

remark CoPP for ICMP Traffic

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any packet-too-big

permit icmp any any port-unreachable

permit icmp any any unreachable

!

ip access-list extended UNDESIRABLE_TRAFFIC

remark CoPP for All Potentially Malicious Traffic

permit icmp any any fragments

permit udp any any fragments

permit tcp any any fragments

permit ip any any fragments

permit udp any any eq 1434

permit tcp any any eq bgp rst

!

ip access-list extended GENERAL_TRAFFIC

remark CoPP for General Traffic

permit ip any any

!

!

class-map CRITICAL_TRAFFIC

description ROUTING UPDATES

match access-group ROUTING_TRAFFIC

!

class-map IMPORTANT_TRAFFIC

description MANAGEMENT TRAFFIC

match access-group MANAGEMENT_TRAFFIC

!

class-map NORMAL_TRAFFIC

description ICMP TRAFFIC

match access-group ICMP_TRAFFIC

!

class-map UNDESIRABLE_TRAFFIC

description MALICIOUS TRAFFIC

match access-group UNDESIRABLE_TRAFFIC

!

class-map GENERAL_TRAFFIC

description ALL OTHER TRAFFIC

match access-group GENERAL_TRAFFIC

policy-map ROUTER_COPP

class CRITICAL_TRAFFIC

police 1000000 50000 50000 conform-action transmit exceed-action transmit

class IMPORTANT_TRAFFIC

police 100000 20000 20000 conform-action transmit exceed-action drop

class NORMAL_TRAFFIC

police 50000 5000 5000 conform-action transmit exceed-action drop

class GENERAL_TRAFFIC

police 50000 5000 5000 conform-action transmit exceed-action drop

class Undesirable

police 8000 1500 1500 conform-action drop exceed-action drop

!

Question:

In the class map, should I use math-all or match-any?

I think match-any, right? I say this because each class map matches an ACL with several statements/flows in it. The active flow I want to police should only need to match itself in the ACL to have the CoPP policy applied. If I do match-all, the data flow must match ALL the criteria in the ACL before the CoPP is applied, and, of course, I dont want that, right?

Am I reading this wrong? Also, I forgot what the default is if you dont specify match-all or match-any....

need answers in a hurry! :-)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
xcz504d1114
Level 4
Level 4
In response to lamav

‎07-12-2009 08:54 PM

Yup, you got it. Let us know if you have any other questions!

HTH,

Craig

View solution in original post

0 Helpful
5 Replies 5

Go to solution
xcz504d1114
Level 4
Level 4

‎07-12-2009 06:42 PM

You must use match-any or match-all if more than one match criteria exist. So using just "match" wouldn't work if you are matching multiple criteria. But I don't see any of your class-maps that have multiple match criteria in them. It looks like you could combine "NORMAL_TRAFFIC" and "GENERAL_TRAFFIC" in a match-any class-map though

You are correct, if you use match-any, if any one of the conditions are met, it performs the action, if you use match-all, all criteria must be met before the action is performed.

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmdcli.html

HTH,

Craig

0 Helpful

Go to solution
xcz504d1114
Level 4
Level 4

‎07-12-2009 06:49 PM

Just for clarification, even though you have multiple lines on your ACL, that does not constitute as multiple criteria, that will act as a match any, so if any traffic matches any of your permit lines, it will apply the policy to that traffic.

HTH,

Craig

0 Helpful

Go to solution
lamav
Level 8
Level 8
In response to xcz504d1114

‎07-12-2009 07:02 PM

OK, I think I get it.

In the class map, the "match any" or 'match all" is referring to the match criteria within the class map itself, NOT the ACL statements...right?

So, in my case, I am only using ONE match command in the class map - matching to an ACL for that type of traffic, so I could use mtch all OR match any...wouldnt make a difference, right??

0 Helpful

Go to solution
xcz504d1114
Level 4
Level 4
In response to lamav

‎07-12-2009 08:54 PM

Yup, you got it. Let us know if you have any other questions!

HTH,

Craig

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to xcz504d1114

‎07-12-2009 10:07 PM

Victor,

How have you been? (grin)

Toshi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card