Using policy-map to drop traffic for control plane policing
In every document I have found, it is saying that I can do the following:
Device(config)# access-list 141 deny icmp 10.0.0.1 0.0.0.255 any port-unreachable
! Rate-limit all other ICMP traffic.
Device(config)# access-list 141 permit icmp any any port-unreachable
Device(config)# class-map icmp-class
Device(config-cmap)# match access-group 141
Device(config)# policy-map control-plane-out
! Drop all traffic that matches the class "icmp-class."
Device(config-pmap)# class icmp-class
! Define aggregate control plane service for the active route processor.
Device(config-cp)# service-policy output control-plane-out
However, when I try to create a policy-map to drop traffic for a specific class, the "drop" command just isn't there. I think its only available in "access-control" type of policy-map. The "access-control" type of policy-map requires "access-control" type of class-map. When I create a "access-control" type class-map, it won't let me match on access-lists.
It appears the two features are mutually exclusive.
Can anyone shed some light on this? I'm just trying to block IP packets of TTL 0 and 1 from reaching my control plane.
I had this issue on Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) and found this post.
I just wanted to note that the only devices I have that have the 'drop' command you are looking for are my 2911s running Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1).
Great answer that it can be done in another way, but that drop command does actually exist depending on your IOS and device. I did some research and wasn't able to nail down when the command was introduced.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...