Control Plane Policy & VRF
Hi ALL !!!
I created еру CPP and applied the service policy like "permit tcp host x.x.x.x any telnet" to it.
It work very nice if I haven't VRF.
But, ALL my users from VRF "USER" or "Manage" can telnet to router :-(
What can you suggest to me?
Hello mpalis,
traffic which is not matching any defined classes ends in class class-default which is always applied whether you configured it or not.
Some traffic types cannot be defined by the classes and always go to the class-default class. Examples of those are Layer 2 PDUs/keepalives (CDP, ARP etc) and non-IP traffic (ISIS etc.). Also IPv6 traffic, if not expressely defined within a specific class, ends up in class-default.
What you see is pretty expected then. Some Layer 2 or non-IP control traffic is hitting the default class every now and then (the rate is pretty low in your ouputs > 1pps or so).
About the monitoring part it is not that easy on this platform (I assume you have a ASR 1000) as the easiest way to identify that traffic would be to use ERSPAN and use the CPU as the source. Unfortunately that is not supported (even though the CLI allows to configure it) and it does not work.
Other option would be Embedded Packet Capture (EPC) and capture process switched packets but this is not supported either on ARS.
What is left is an engineering command to see what is actually punted to the CPU which is "debug platform software infrastructure punt". Note that this is command can give a pretty chatty (overwhelming) output, so I suggest you to disable the console logging and send the output to the syslog if you intend to use it.
You will likely see some non-IP traffic/L2 traffic popping up every now and then confirming what i wrote above.
regards,
Riccardo
PS: Please rate the answer if helpful and flag the question as answered if no more help is needed.
Similar Messages
-
Control Plane Policy not allowing ssh on my 3825 router
I have complaints for a downstream customer trying to connect to my network. He is the only one connecting to hosts via ssh. He is showing up hitting the 3rd party (Mcaffee Sidewinder Firewall) between the 2 Cisco 3825 routers but with the bytes stripped out. I started looking at the control plane policy and believe it is the culprit. He is the only host I need to get in through the router (WAN) via this protocol/port. What do I need to change in order to allow him through?
BTW, don't know why but the **** above should have read k - n - o - b. Probably the decorum police checking in...
-
Hi,
I did configuration for CCP on sw 4500 but it do the process cpu to grow up. On normal case the process is about 25% but when i configure the policy for control plane the cpu is about 40% and has peaks over 80%.
Please help me
thanks.Hi!
It interested for me too! -
Hi,
We are developing a network where the APs will be connected to DSL connections(publics). Now we are seeing the subject of security in the WLC, and my question is if the amount of tunnels can be limited that can receive the WLC in simultaneous form. I was seeing that the possibility exists of forming CPP but this limits the traffic that goes to the CPU, but not them tunnels. My question is referred in case a possible attack exists generating many simultaneous tunnels.
Please, let me know your opinion about this issue.
Thanks a lot.
Andres.http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html
Features Not Supported on Cisco 2500 Series Controllers
These software features are not supported on Cisco 2500 Series Controllers:
•Support for wired guest access.
•Cisco 2500 Series Controller cannot be configured as an auto anchor controller. However, you can configure it as a foreign controller.
•Supports only multicast-multicast mode.
•Bandwidth Contract feature is unsupported.
•Access points in direct connect mode is unsupported
•Service port support
•Apple Talk Bridging
•LAG
•Wired Guest -
Hi there,
I'm trying to figure out how to determine and how to differentiate between control plane and data plane especially in troubleshooting MPLS VPN. Any keyword that distinguish between them? It seems to be confusing for a newbie here :)
Thanks in advance.
maherHi Maher,
The control plane is simply the set of processes that are responsible for disseminating information on routes, labels etc within a network. This includes routing protocols whose job is to communicate information on routes between different routers. The information provided by these protocols is then used to building routing/forwarding tables.
The data plane is simply an abstraction used to describe the actual flow of data packets using paths determined by the control plane. The control plane traffic carries control traffic (which is not end-user data) whereas the data plane traffic is actual end-user data.
There is no single command that you can use to distinguish between the two. The commands you have on a router that can be used to view control plane operation are as such:
sh ip route
sh ip cef
sh ip bgp ...
sh ip ospf ...
sh mpls forwarding-table...
etc... and many, many more
Typically, there isn't a clear demarcation between commands that display control plane info and those that display data plane information... You could use commands such as the following to get some idea of data traffic flowing through a router:
sh interfaces
sh policy-map interface
etc.
Hope that helps - pls rate the post if it does.
Paresh -
please does anyone understand the diference in using a class-map of type que-threshold and using a default class-map with que-limit in the policy-map???
class-map type queue-threshold match-all http-que
match protocol http
policy-map type queue-threshold http-que
class http-que
que-limit 100
class-map match-all http
match access-group name http
policy-map http
class http
bandwidth 100000
queue-limit 100The type queue-limit will be matching http packets that are for the router management.
If you set a queue-limit under a regular class-map you are matching http traffic that is routed through the traffic.
In other words CPP queue limit protects the control-plane (router management) queue from getting full and DoS the router or locking someone out.
Regular class-map is for traffic through the routers.
I hope it helps.
PK -
Control-plane protection| soft ware hardware counters
Hi everybody
Today I noticed something stange at work. I was looking at how we implemented a policy to drop ICMPS hitting our processor after certains constraints are met.
cisco#show running-config | begin control-plane
control-plane
service-policy input copp-aggregated
+++++++++++++++++++++++
Policy defination:
policy-map copp-aggregated
class cpp-icmp
police cir 5000000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop
class-map match-all cpp-icmp
match access-group name cpp-icmp
cisco#show ip access cpp-icmp
Extended IP access list cpp-icmp
10 permit icmp any any (156222580 matches)
++++++++++++++++++++++++++++++
cisco#show policy-map control-plane
Control Plane Interface
Service-policy input: copp-aggregated
Hardware Counters:
class-map: cpp-icmp (match-all)
Match: access-group name cpp-icmp
police :
5000000 bps 93000 limit 93000 extended limit
Earl in slot 5 :
5295068971 bytes
5 minute offered rate 9528 bps
aggregate-forwarded 5259145173 bytes action: transmit
exceeded 35923798 bytes action: drop
aggregate-forward 9936 bps exceed 0 bps
Software Counters:
Class-map: cpp-icmp (match-all)
99672582 packets, 14936584392 bytes
5 minute offered rate 11000 bps, drop rate 0 bps
Match: access-group name cpp-icmp
police:
cir 5000000 bps, bc 93750 bytes, be 187500 bytes
conformed 99672950 packets, 14936253164 bytes; action: transmit
exceeded 289 packets, 422518 bytes; action: drop
violated 0 packets, 0 bytes; action: drop
conformed 13000 bps, exceed 0 bps, violate 0 bps
+++++++++++++++++++++++++++++++++++
I can see " software counters' just show the constraints defined under policy " copp-aggregated", how did we end up with hardware counters ?
Hardware counters shows " 5000000 bps 93000 limit 93000 extended limit" which we never defined that anywhere.
I appreciate your help
ThanksBTW, don't know why but the **** above should have read k - n - o - b. Probably the decorum police checking in...
-
Control-plane policing on ML Card
Hi All,
We are experiencing high CPU utilization on one of our ML Card in the ONS 15454. The "IP Input" has relatively higher CPU utilization consumed irrespective of the proper fast/CEF switching enabled on the interfaces. We are trying to figure out,whether there is an attack to the control-plane or even any IP Packets destined local to the ML Card,which is causing those packet to process switched.
In order to figure that,we thought we may try to use Control plance policing on the control-plane but it seems not taking the service-policy associated with that. Is this feature supported in the ML card or any other suggestion would be really appreciated.
Thanks
Regards
Anantha Subramanian NatarajanTry the "clear ip mroute" command on the ML card with high cpu usage and check for the issue. Ml card having a large number of mac address traffic can also cause high cpu usage.In very large bridged networks, which may connect directly to 1000s of layer-3 devices, it may also be wise to increase the MAC table limit above the default of 1000 MAC addresses. This is done with the configuration command:
bridge X limit dynamic entries 10000 -
Hi guys,
I want to implement control plane protection for fragmented packets. As far as i know if fragmented packet are traversing through router then service-policy will be applied at control-plane transit but if fragmented packets are destine to router itself then it will be applied at control-plane host. Correct me if i am wrong. Moreover I want to know the difference between
Control-plane
Control-plane host
Control-plane transit
Control-plane cefHi Bro
What you’re doing is good. It’s always best to block the fragmented packets at the control-plane level, rather than via the normal ACL.
In the basic/lower feature sets IOS versions, there is no breakdown in terms of control-plane. With the advanced/higher feature sets IOS versions, you have control-plane host, control-plane transit and control-plane cef. Your next question would be when do I apply them, in what given situations, am I right? Basically, in a nutshell, here goes
a) control-plane host handles packets destined for router itself e.g. management traffic (telnet/ssh/tacacs+/radius) and routing traffic.
b) control-plane transit works on IP based packets traversing through the router e.g. internet browsing, email etc.
c) control-plane cef focuses on non-IP packets e.g. CDP, ARP etc.
With this in mind, you might wanna expand your knowledge in depth, by reading this Cisco document http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html
P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED. -
Rule for Control Plane traffic Transparent Firewall
Hi Everyone,
ASA working in routed mode traffic is allowed by default from high security inside to low security outside.
But in case of transparent firewall control plane traffic from inside to outside it is not allowed by default.
Need to know the reason behind this?
IS this due to transparent firewall layer 2?
Regards
MAheshHello Chintan,
the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.
So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.
If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.
Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.
Hope to help
Giuseppe -
What snmp OID to use to monitor control-plane of router
Hi there!
I've applied policy-maps on control-plane, based on cisco recomandation.
Now i need to know, what snmp OID i've to use to monitor them (i'm using zabbix)
Let me know.
Regards!If you are using IOS which uses a policy-map to configure Control Plane Policing then you are asking in the wrong place as this forum is for IOS-XR not IOS but you can poll objects in the CISCO-CLASS-BASED-QOS-MIB::cbQosPoliceStatsTable (for example cbQosCMDropByte64, cbQosPoliceExceededByte64, cbQosPoliceConformedByte64).
If you mean you have changed the LPTS policers to help protect the control-plane in IOS-XR then I believe there is currently no support for polling the counters via SNMP. See the section on monitoring in Xander's document https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp -
What is the Control Plans functionality in cProjects used for?
Hi Folks,
What is the purpose and usage of control plans in cProjects? Is this useful in an environment where QM is not implemented? Appreciate if somebody could provide an example of how this functionality will be useful from a project management standpoint. I am on cProjects 4.5.
Cheers,
LashanHi,
the control plan functionality in cProjects is deprecated, see SAP Note 1114207:
Using the control plans is not recommended because with new
developments in SAP PLM Quality Management (QM). cProjects
remains the preferred project management solution, but all QM
aspects that are not directly related to project management
should be managed in SAP ERP.
Kind regards,
Florian -
Hi All,
I am working on cProjects. When I assign the control plan on the Project definition it is created. I can create the process & assign the tools & characteritics. But in the additional data for characteristics the fields are greyed. Example ; I do want the unit k, lower & higher values for characterist temp but it is greyed out.
Is there any setting required for transfer to SAP R/3 as inspection plan.
Help requrd.
RAMUGo to Characteristics CT04 or CT02
Go to Additional Data Tab---- enter TABLE which you want use , enter FIELD values
Enter document details below
Save transaction
Enjoy SAP .!!!!!! -
How to map,e.g. conceptual control plane to physical element?
Route processor = control plane (customer, provider) in layer 3
Line card = data plane in layer 2& layer 3
where is management plane?
ThanksHi
When you configure MP you can see the logging for same . The log you will get
Aug 2 15:25:32.846: %CP-5-FEATURE: Management-Interface feature enabled on Control plane
host path
It shows that the MP work over Control plane. Means in Route processor the MP will take palce.
Regards
Chetan Kumar -
Hi, I am just looking at a Cisco 1131g AP and notice there is no control-plane command. Does anyone know why? AP is running 12.4(10b)JDA3
Maybe they finally removed it? Correct me if I'm wrong, but I believe that control-plane commands were how one would configure legacy QoS (prior to Modular QoS Commands).
I might be wrong, I'm a bit fuzzy on legacy stuff since I'm 'new' to the Cisco world. 12.2 was out when I first learned what Cisco was, lol.
Maybe you are looking for
-
Question about backing up imported music
after importing cds to my itunes library, can i delete the songs from my hard drive but still be able to put those same songs (imported into library)onto my ipod. or do i need to keep the songs until i have them transfered on my ipod i'm asking becau
-
Pricing procedure for singapore
Dear Experts, Can anyone provide the pricing procedure for singapore in detail. Thanks & Regards Dominic Rajan
-
Hi all, i am facing a problem with the delta dtp... can any one suggest the correct approach relating to the following scenario... i am loading the data to my staging ods.. currently delta dtp's are running to my ods thru ds -- 2lis_11_vakon Now i ha
-
Hello. I have a log-in window for myself and and another user. Lately when I log in a foreign, stock desk top appears (all of my icons and personal settings are lost). I usually restart and things return to normal. Does anyone know why my computer is
-
Currently making a video... looking to have two audio clips playing at once - one would be a conversation clip, the other being a soft music track.... Help!!