Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1123
Views
0
Helpful
3
Replies

Strange CPPr Behaviour

babanonyme
Level 1
Level 1

‎11-24-2013 07:51 AM - edited ‎03-10-2019 12:09 AM

Hi All,

I try to play with CPPr and I came with the following to drop all packets to closed ports except RIP:

class-map type port-filter match-all closed

match  closed-ports

class-map type port-filter match-any validPorts

match  port udp 520

policy-map type port-filter PortPMAP

class validPorts

    log

class closed

   drop

control-plane host

service-policy type port-filter input PortPMAP

and that works fine, now, if I remove the log action of validPorts, I stop receiving RIP updates (checked with debug ip RIP) and my routes eventually become removed on routing table.

Per this link:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html

policy-map copp-policy

class coppclass-bgp

< no operation specified since this class has unrestricted access to route processor >

So I would expect that even with no log my traffic should be permitted.

Is this a bug, or did I missed something ?

I am running on

R3(config)#do sh ver  | i IO

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎11-25-2013 09:37 AM

I think you're running into this problem because RIP uses brodcasts. Try enabling RIPv2 and specifiying a neighbor. That will enable RIP to use multicast. This would need to be done on each router.

Hope it helps.

0 Helpful

babanonyme
Level 1
Level 1
In response to Collin Clark

‎11-25-2013 10:20 AM

Hi Collin,

I already have RIPv2. When I have the log action, I see packets to 224.0.0.9, it's just for some reason if I do not put a log action packets looks droppped.

As a workaround I can do

class-map type port-filter match-all closed

match  closed-ports

match not udp 520

But that is strange... Maybe i'll try a differnet IOS version if I have some time.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to babanonyme

‎11-25-2013 10:22 AM

I can try it in the lab tonight too.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents