Control Plane Policing - is the a default config in a 6509?

I was doing some configuration reviews today, removing some lines that needed to be removed and came across an ACL I have never seen before.  I sure wish I could copy and paste into this thread!
ip access-list extended cpp-management
class-map match-all cpp-any
match access-group name cpp-any
class-map match-all cpp-management
match access-group name cpp-management
and then some policy maps and access lists, etc.
Does anyone know if this is a default config?  I've never seen in before and none of my co-workers have owned up to putting it in there.
Thanks in advance.
Tim

It is not a default, that is a custom config. CoPP is not on by default.
Hope it helps.

Similar Messages

  • Control-plane policing on ML Card

    Hi All,
    We are experiencing high CPU utilization on one of our ML Card in the ONS 15454. The "IP Input" has relatively higher CPU utilization consumed irrespective of the proper fast/CEF switching enabled on the interfaces. We are trying to figure out,whether there is an attack to the control-plane or even any IP Packets destined local to the ML Card,which is causing those packet to process switched.
    In order to figure that,we thought we may try to use Control plance policing on the control-plane but it seems not taking the service-policy associated with that. Is this feature supported in the ML card or any other suggestion would be really appreciated.
    Thanks
    Regards
    Anantha Subramanian Natarajan

    Try the "clear ip mroute" command on the ML card with high cpu usage and check for the issue. Ml card having a large number of mac address traffic can also cause high cpu usage.In very large bridged networks, which may connect directly to 1000s of layer-3 devices, it may also be wise to increase the MAC table limit above the default of 1000 MAC addresses. This is done with the configuration command:
    bridge X limit dynamic entries 10000

  • Control Plane Policing (CoPP) for Data Center

    Hi All,
    I am planning to apply CoPP on different routers and switches of Data Center. This Data Center comprises of Cisco 6513 (VSS), Catalyst 3750, Cisco 3845 and Cisco 2811.
    My question are:
    1. Do we have to apply CoPP on Catalyst 3750, as these are DMZ switches only?
    2. How to find the packet processing rate from router and switches?
    3. Any best practices CoPP template for routers running OSPF and BGP?
    Thanks and Regards,
    Ahmed.

    1. You would need to apply CoPP to all routers/switches that are 
    manageable from untrusted sites. So even if you have non-DMZ switches 
    that will be able to be telneted to from the outside for example, 
    CoPPing them would be helpful for you.Do we not need to apply
    CoPP on switches and routers that are not telneted from outside?
    Control plan traffic is traffic that goes to the control plane of the router like management traffic, snmp etc. If there is a firewall securing you from the outside I would feel my switches are more secure and it is not easy to bring them to their knees with an attacker doing too much from the outside. Control plane policing applies to all control plane traffic, but it is mostly against outsiders that someone would try to protect himself.
    2. "sh proc
    cpu" would give you some  insight for processes like ssh or telnet and
    how much the take. Not  control packet rate processing though.I
    want to know the maximum packet processing rate of a router or switch?
    I don't think you will be able to pull that number.
    3. Depends
    on how powerful the  router is, how many commands you are running, how
    much route processing  is going on.Best practice for a router
    running OSPF with 200 routes?
    Don't know of any.
    PK

  • Control plane policing

    please does anyone understand the diference in using a class-map of type que-threshold and using a default class-map with que-limit in the policy-map???
    class-map type queue-threshold match-all http-que
         match  protocol http
    policy-map type  queue-threshold http-que
         class http-que
         que-limit 100
    class-map match-all http
    match access-group name http
    policy-map http
    class http
       bandwidth 100000
       queue-limit 100

    The type queue-limit will be matching http packets that are for the router management.
    If you set a queue-limit under a regular class-map you are matching http traffic that is routed through the traffic.
    In other words CPP queue limit protects the control-plane (router management) queue from getting full and DoS the router or locking someone out.
    Regular class-map is for traffic through the routers.
    I hope it helps.
    PK

  • Control Plane Protection (Policing) configuration on Catalyst 3850

    I need to block ICMP requests from being received by the switch. And there is no 'control-plane' configuration mode, which I was going to use for this.
    How can I configure this feature or apply another for my purpose?

    Greetings,
    How about on the 3725 router?
    A couple specific questions I have while configuring the portion for IGPs.
    Here is a couple snips of example configurations I'm finding on the Internet, that I have questions on.
    1. Cisco CoPP Best Practicesaccess-list 120 permit ospf any
    access-list 120 permit ospf any host 224.0.0.5
    access-list 120 permit ospf any host 224.0.0.6
    2. Deploying Cisco Control Plane Policing
    ip access-list extended coppacl-igp remark CoPP IGP traffic class
    ! permit OSPF permit ospf any host 224.0.0.5
    permit ospf any host 224.0.0.6 permit ospf any any
    3. RFC6192
      ip access-list extended OSPF
        permit ospf 192.0.2.0 0.0.0.255 any
    Questions - Which optionis better?
    - Is the network specified in option #3, the network statement under the OSPF process, 
    or the actual network I'm routing?
    -  If option #1 is better, what is the "router receive block" mentioned?
    Thank you for your assistance!!
    Debbie

  • Rule for Control Plane traffic Transparent Firewall

    Hi Everyone,
    ASA  working in routed mode traffic is allowed by default from high security inside to low security outside.
    But in case of transparent firewall  control plane  traffic  from inside to outside it is not allowed by default.
    Need to know the reason behind this?
    IS this due to transparent firewall layer 2?
    Regards
    MAhesh

    Hello Chintan,
    the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.
    So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.
    If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.
    Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.
    Hope to help
    Giuseppe

  • What snmp OID to use to monitor control-plane of router

    Hi there!
    I've applied policy-maps on control-plane, based on cisco recomandation.
    Now i need to know, what snmp OID i've to use to monitor them (i'm using zabbix)
    Let me know.
    Regards!

    If you are using IOS which uses a policy-map to configure Control Plane Policing then you are asking in the wrong place as this forum is for IOS-XR not IOS but you can poll objects in the CISCO-CLASS-BASED-QOS-MIB::cbQosPoliceStatsTable (for example cbQosCMDropByte64, cbQosPoliceExceededByte64, cbQosPoliceConformedByte64).
    If you mean you have changed the LPTS policers to help protect the control-plane in IOS-XR then I believe there is currently no support for polling the counters via SNMP. See the section on monitoring in Xander's document https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp

  • ASA Control Plane

    Hello,
    I'm attempting to limit what IP addreses can connect to an ASA using the SSL VPN. I would have thought control-plane policing would have worked, however it did not.
    Here is what I configured:
    access-list vpn_control extended permit tcp object-group allowed_clients interface outside
    access-group vpn_control in interface outside control-plane
    any suggestions would be appreciated.
    Thanks!

    I'm having a problem which I think is described here.  I would essentially like to whitelist networks for ssl anyconnect vpn access.  I understand that the anyconnect client would attempt a connection to my outside interface on 443 and that it would be considered "to the box traffic" which would bypass the interface ACL's. I set up an acl to deny traffic from a specific test network to test the control plane option.  At first I tried 443 traffic and later expanded it to a deny any from the external network, but in either case I was still able to VPN to the asa from this test network using the anyconnect client.  I assume this has something to do with management traffic having priority and not distiguishing between managment traffic destined for /admin and ssl vpn connections.  However, I do not have the outside interface enabled as a management interface, so even that is a little puzzling.
    access-list outside_access_in_1 extended deny ip object test_network any
    access-list outside_access_in_1 extended permit ip any any
    access-group outside_access_in_1 in interface outside control-plane
    If I do a packet trace for 443 traffic from that network to my outside interface IP it does show the traffic passing and the ACL section specifically shows it passing via implicit rule...

  • Control Plane and Data Plane

    Hi there,
    I'm trying to figure out how to determine and how to differentiate between control plane and data plane especially in troubleshooting MPLS VPN. Any keyword that distinguish between them? It seems to be confusing for a newbie here :)
    Thanks in advance.
    maher

    Hi Maher,
    The control plane is simply the set of processes that are responsible for disseminating information on routes, labels etc within a network. This includes routing protocols whose job is to communicate information on routes between different routers. The information provided by these protocols is then used to building routing/forwarding tables.
    The data plane is simply an abstraction used to describe the actual flow of data packets using paths determined by the control plane. The control plane traffic carries control traffic (which is not end-user data) whereas the data plane traffic is actual end-user data.
    There is no single command that you can use to distinguish between the two. The commands you have on a router that can be used to view control plane operation are as such:
    sh ip route
    sh ip cef
    sh ip bgp ...
    sh ip ospf ...
    sh mpls forwarding-table...
    etc... and many, many more
    Typically, there isn't a clear demarcation between commands that display control plane info and those that display data plane information... You could use commands such as the following to get some idea of data traffic flowing through a router:
    sh interfaces
    sh policy-map interface
    etc.
    Hope that helps - pls rate the post if it does.
    Paresh

  • Control plane protection

    Hi guys,
    I want to implement control plane protection for fragmented packets. As far as i know if fragmented packet are traversing through router then service-policy will be applied at control-plane transit but if fragmented packets are destine to router itself then it will be applied at control-plane host. Correct me if i am wrong. Moreover I want to know the difference between
    Control-plane
    Control-plane host
    Control-plane transit
    Control-plane cef

    Hi Bro
    What you’re doing is good. It’s always best to block the fragmented packets at the control-plane level, rather than via the normal ACL.
    In the basic/lower feature sets IOS versions, there is no breakdown in terms of control-plane. With the advanced/higher feature sets IOS versions, you have control-plane host, control-plane transit and control-plane cef. Your next question would be when do I apply them, in what given situations, am I right? Basically, in a nutshell, here goes
    a)    control-plane host handles packets destined for router itself e.g. management traffic (telnet/ssh/tacacs+/radius) and routing traffic.
    b)    control-plane transit works on IP based packets traversing through the router e.g. internet browsing, email etc.
    c)    control-plane cef focuses on non-IP packets e.g. CDP, ARP etc.
    With this in mind, you might wanna expand your knowledge in depth, by reading this Cisco document http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html
    P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.

  • File, Send link doesn't open a new email. Using Firefox 11.0. Outlook 2010 is the Mailto default and W7 default email program. On the About:config page network.protocol-handler.external.mailto is set to regular font (not bold) "default Boolean true".

    File, Send link doesn’t open a new email. Running Firefox 11.0. Outlook 2010 is the Mailto default and the W7 default email program. On the About:config page, network.protocol-handler.external.mailto is set to regular font (not bold) “default Boolean true”.

    I assume you have tried toggling the setting in Firefox between Outlook and, say, Gmail:
    orange Firefox button ''or'' classic Tools menu > Options > Applications
    In the search box, type or paste '''mailto''' and pause for the list to filter.
    Change the setting and OK to save it, then return to the dialog, change back, and OK again.
    You also might want to toggle the setting at the OS level between Microsoft Outlook and the native Windows Mail client in a similar fashion. In Windows XP you could use IE's Options dialog, Programs tab, for this, but I'm not sure in Windows 7.
    Since one possibility is a problem in your Firefox settings (including the possibility of interfering add-ons), and another is a problem at the Windows level (e.g., Registry settings), it would be useful to try to identify which one it is. One quick way to distinguish is to create a new Firefox profile. It will start up with all factory settings. You can switch back to your existing profile after testing.
    First, I recommend backing up your Firefox settings in case something goes wrong. See [https://support.mozilla.com/en-US/kb/Backing+up+your+information Backing up your information]. (You can copy your entire Firefox profile folder somewhere outside of the Mozilla folder.)
    After closing Firefox, start up again in the Profile Manager as described in this article: [http://support.mozilla.com/kb/Managing+profiles Managing profiles].
    With the new profile, can Firefox successfully create a message in Outlook?

  • What is the Control Plans functionality in cProjects used for?

    Hi Folks,
    What is the purpose and usage of control plans in cProjects? Is this useful in an environment where QM is not implemented? Appreciate if somebody could provide an example of how this functionality will be useful from a project management standpoint. I am on cProjects 4.5.
    Cheers,
    Lashan

    Hi,
    the control plan functionality in cProjects is deprecated, see SAP Note 1114207:
    Using the control plans is not recommended because with new  
    developments in SAP PLM Quality Management (QM). cProjects   
    remains the preferred project management solution, but all QM
    aspects that are not directly related to project management  
    should be managed in SAP ERP.                                
    Kind regards,
       Florian

  • I have firefox 7.0 and i go to about:config and change the URL default from bing to google but when i close firefox an open it back up it changes back to bing why is this?

    I have firefox 7.0 and i go to about:config and change the URL default from bing to google but when i close firefox an open it back up it changes back to bing why is this? I stand by google 100% and if ur gonna make it where i can't use google as the URL's seach engine then i will uninstall it.

    The default of the pref network.http.max-connections has been increased from 30 to 256 in Firefox 6+ versions.
    Try to decrease the value of the pref <b>network.http.max-connections</b> from 256 to 30 as used in Firefox 3 versions.
    *https://support.mozilla.com/kb/Firefox+never+finishes+loading+certain+websites
    Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
    *Don't make any changes on the Safe mode start window.
    *https://support.mozilla.com/kb/Safe+Mode

  • Do you know a unicast protocol for the Ethernet control plane?

    Hi,
    Does anyone know a protocol for the Ethernet control plane which has a unicast destination address?
    MVRP, MMRP, MSTP, RSTP, all these protocols have a multicast reserved destination address.
    Perhaps we have to look non-802.1Q control plane protocols.
    Best regards,
    Michel

    Hi Peter,
    > I wonder if any of the OAM protocols, especially the one providing the loopback/ping test is unicast-based.
    In G.8013 (07/2011) section 7.3:
    "The Ethernet loopback function (ETH-LB) is used to verify connectivity of a MEP with a MIP or
    peer MEP(s). There are two ETH-LB types:
    • Unicast ETH-LB.
    • Multicast ETH-LB".
    > In any case, think of LOOP frames sent by Catalyst switches to detect  self-looped ports. In these frames,
    > the source and destination MAC  address are set to the unicast MAC of the egress port.
    As I said above, it's a good case for my little study.
    The LOOP frame, from Cisco, was certainly interesting and important before 2004.
    Since 802.3ah-2004 we have the OAM remote loopback (in link OAM, and not network OAM as ETH-LB).
    Best regards,
    Michel

  • Control-plane protection| soft ware hardware counters

    Hi everybody
    Today I noticed something stange at work. I was looking at how we implemented a policy to drop ICMPS hitting our processor after certains constraints are met.
    cisco#show running-config | begin control-plane
    control-plane
    service-policy input copp-aggregated
    +++++++++++++++++++++++
    Policy defination:
    policy-map copp-aggregated
    class cpp-icmp
       police cir 5000000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop
    class-map match-all cpp-icmp
      match access-group name cpp-icmp
    cisco#show ip access cpp-icmp
    Extended IP access list cpp-icmp
        10 permit icmp any any (156222580 matches)
    ++++++++++++++++++++++++++++++
    cisco#show policy-map control-plane
     Control Plane Interface
    Service-policy input: copp-aggregated
    Hardware Counters:
        class-map: cpp-icmp (match-all)
          Match: access-group name cpp-icmp
          police :
            5000000 bps 93000 limit 93000 extended limit
          Earl in slot 5 :
            5295068971 bytes
            5 minute offered rate 9528 bps
            aggregate-forwarded 5259145173 bytes action: transmit
            exceeded 35923798 bytes action: drop
            aggregate-forward 9936 bps exceed 0 bps
      Software Counters:
        Class-map: cpp-icmp (match-all)
          99672582 packets, 14936584392 bytes
          5 minute offered rate 11000 bps, drop rate 0 bps
          Match: access-group name cpp-icmp
          police:
              cir 5000000 bps, bc 93750 bytes, be 187500 bytes
            conformed 99672950 packets, 14936253164 bytes; action: transmit
            exceeded 289 packets, 422518 bytes; action: drop
            violated 0 packets, 0 bytes; action: drop
            conformed 13000 bps, exceed 0 bps, violate 0 bps
    +++++++++++++++++++++++++++++++++++
    I can see " software counters' just show the constraints defined under policy "  copp-aggregated", how did we end up with hardware counters ?
    Hardware counters shows " 5000000 bps 93000 limit 93000 extended limit"  which we never defined that anywhere.
    I appreciate your help
    Thanks

    BTW, don't know why but the **** above should have read k - n - o - b.  Probably the decorum police checking in...

Maybe you are looking for