Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8497
Views
10
Helpful
6
Replies

Using policy-map to drop traffic for control plane policing

Go to solution
LA-Engineer
Level 1
Level 1

‎06-18-2014 06:23 PM - edited ‎03-07-2019 07:46 PM

In every document I have found, it is saying that I can do the following:

Device(config)# access-list 141 deny icmp 10.0.0.1 0.0.0.255 any port-unreachable
 
! Rate-limit all other ICMP traffic. 
Device(config)# access-list 141 permit icmp any any port-unreachable
Device(config)# class-map icmp-class
 
Device(config-cmap)# match access-group 141
Device(config-cmap)# exit
Device(config)# policy-map control-plane-out
! Drop all traffic that matches the class "icmp-class."
Device(config-pmap)# class icmp-class
Device(config-pmap-c)# drop
Device(config-pmap-c)# exit
Device(config-pmap)# exit
Device(config)# control-plane
! Define aggregate control plane service for the active route processor.
Device(config-cp)# service-policy output control-plane-out
Device(config-cp)# end

 

However, when I try to create a policy-map to drop traffic for a specific class, the "drop" command just isn't there.  I think its only available in "access-control" type of policy-map.  The "access-control" type of policy-map requires "access-control" type of class-map.  When I create a "access-control" type class-map, it won't let me match on access-lists.

 

It appears the two features are mutually exclusive.

 

Can anyone shed some light on this?  I'm just trying to block IP packets of TTL 0 and 1 from reaching my control plane.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mlund
Level 7
Level 7

‎06-19-2014 12:14 AM

Hi

I have done it this way.

  police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
 

/Mikael

View solution in original post

6 Replies 6

Go to solution
Renan Abreu
Cisco Employee
Cisco Employee

‎06-18-2014 09:31 PM

Hi LA,

 

     First thing I would like to catch you attention is that you CoPP should be input.

     Which device are we talking about?

     I can do it just fine on my 1841 router

 

ip access-list extended BLOCK_TTL_ACL
 permit ip any any ttl eq 1

class-map match-all BLOCK_TTL_1_CM
 match access-group name BLOCK_TTL_ACL

policy-map BLOCK_TTL_1_PM
 class BLOCK_TTL_1_CM
   drop

control-plane
 service-policy input BLOCK_TTL_1_PM

 

R3#show policy-map control-plane 
 Control Plane 

  Service-policy input: BLOCK_TTL_1_PM

    Class-map: BLOCK_TTL_1_CM (match-all)
      146 packets, 10441 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name BLOCK_TTL_ACL
      drop

    Class-map: class-default (match-any)
      29 packets, 3288 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

 

0 Helpful

Go to solution
LA-Engineer
Level 1
Level 1
In response to Renan Abreu

‎06-18-2014 09:41 PM

Thanks for your reply.  I can't get past the part where 

I tried this on 15.4(1)S1 on Cisco IOS XE Software, Version 03.11.01.S.  I also tried this on ASR1001.  And I tried this on Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16),.

The part where I issue the 'drop' command on the class in the policy-map is where I'm having trouble.  The 'drop' command doesn't seem to be available on any routers I have access to.

 

Device(config)# policy-map control-plane-in
Device(config-pmap)# class icmp-class
Device(config-pmap-c)# drop <---- (command isn't there)
0 Helpful

Go to solution
mlund
Level 7
Level 7

‎06-19-2014 12:14 AM

Hi

I have done it this way.

  police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
 

/Mikael

Go to solution
LA-Engineer
Level 1
Level 1
In response to mlund

‎06-19-2014 10:05 AM

This is perfect.  I totally forgot you can drop on conform.

 

Thank you!

0 Helpful

Go to solution
jkcollins14_dell
Level 1
Level 1
In response to mlund

‎03-29-2018 09:17 PM

Mikael,

 

In your example:   

 police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop

 

is there a reason for these values (32000, 1500, & 1500) or are they just chosen randomly, as all actions are going to drop traffic no matter what?

 

Thanks,

JKC

 

 

0 Helpful

Go to solution
ronald.stimbert
Level 1
Level 1

‎08-10-2016 04:40 PM

I had this issue on Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) and found this post. 

I just wanted to note that the only devices I have that have the 'drop' command you are looking for are my 2911s running Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1). 

Great answer that it can be done in another way, but that drop command does actually exist depending on your IOS and device. I did some research and wasn't able to nail down when the command was introduced. 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card