Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Control Plane Policing Practicalities...


According to the following:

in order to help tighten a CoPP Policy:

"...Step 3. Review Identified Packets and Begin to Filter Access to the Route Processor

... The "permit ip any any" access-list entry will log a number of packet matches. Some form of analysis will be required to determine the exact nature of the unclassified packets."

Has anyone any idea how determine what kind of traffic is matching on the catchall class i.e 'permit ip any any'. In other words, define 'some form of analysis' mentioned above?

Any help appreciated.




Re: Control Plane Policing Practicalities...

I think you can add "permit ip any any log" then system should write a log message when there is a packet match this entry. You can check by "show log" if the logging buffer is turned on.

New Member

Re: Control Plane Policing Practicalities...

Hi Kevin,

Thanks for the response.

I get the following in 12.4(21a)i.e c7200-ik9s-mz.124-21a.bin on 7204VXR

ROUTER(config-ext-nacl)#9 permit tcp any eq telnet log

class-map CoPP-post-undesirable : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map CoPP-post-undesirable will not work properly


I may be wrong here, but, from what I can see in the doc, I may need Control Plane Logging:

Seems to require a 12.4T image also, going by Feature Navigator.

I hope I'm wrong (and I probably am...)



Re: Control Plane Policing Practicalities...

Hi Mark,

You are right. It looks like ACL for CoPP is handled in a different way. The feature you found should work for you.

I am not aware of any other way to capture the packet punted to CPU in 7204 router. But in 7600 router we could do a inband SPAN to capture those packets.

Thanks for pointing this out.