Control-plane protection| soft ware hardware counters
Hi everybody
Today I noticed something stange at work. I was looking at how we implemented a policy to drop ICMPS hitting our processor after certains constraints are met.
cisco#show running-config | begin control-plane
control-plane
service-policy input copp-aggregated
+++++++++++++++++++++++
Policy defination:
policy-map copp-aggregated
class cpp-icmp
police cir 5000000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop
class-map match-all cpp-icmp
match access-group name cpp-icmp
cisco#show ip access cpp-icmp
Extended IP access list cpp-icmp
10 permit icmp any any (156222580 matches)
++++++++++++++++++++++++++++++
cisco#show policy-map control-plane
Control Plane Interface
Service-policy input: copp-aggregated
Hardware Counters:
class-map: cpp-icmp (match-all)
Match: access-group name cpp-icmp
police :
5000000 bps 93000 limit 93000 extended limit
Earl in slot 5 :
5295068971 bytes
5 minute offered rate 9528 bps
aggregate-forwarded 5259145173 bytes action: transmit
exceeded 35923798 bytes action: drop
aggregate-forward 9936 bps exceed 0 bps
Software Counters:
Class-map: cpp-icmp (match-all)
99672582 packets, 14936584392 bytes
5 minute offered rate 11000 bps, drop rate 0 bps
Match: access-group name cpp-icmp
police:
cir 5000000 bps, bc 93750 bytes, be 187500 bytes
conformed 99672950 packets, 14936253164 bytes; action: transmit
exceeded 289 packets, 422518 bytes; action: drop
violated 0 packets, 0 bytes; action: drop
conformed 13000 bps, exceed 0 bps, violate 0 bps
+++++++++++++++++++++++++++++++++++
I can see " software counters' just show the constraints defined under policy " copp-aggregated", how did we end up with hardware counters ?
Hardware counters shows " 5000000 bps 93000 limit 93000 extended limit" which we never defined that anywhere.
I appreciate your help
Thanks
BTW, don't know why but the **** above should have read k - n - o - b. Probably the decorum police checking in...
Similar Messages
-
Hi guys,
I want to implement control plane protection for fragmented packets. As far as i know if fragmented packet are traversing through router then service-policy will be applied at control-plane transit but if fragmented packets are destine to router itself then it will be applied at control-plane host. Correct me if i am wrong. Moreover I want to know the difference between
Control-plane
Control-plane host
Control-plane transit
Control-plane cefHi Bro
What you’re doing is good. It’s always best to block the fragmented packets at the control-plane level, rather than via the normal ACL.
In the basic/lower feature sets IOS versions, there is no breakdown in terms of control-plane. With the advanced/higher feature sets IOS versions, you have control-plane host, control-plane transit and control-plane cef. Your next question would be when do I apply them, in what given situations, am I right? Basically, in a nutshell, here goes
a) control-plane host handles packets destined for router itself e.g. management traffic (telnet/ssh/tacacs+/radius) and routing traffic.
b) control-plane transit works on IP based packets traversing through the router e.g. internet browsing, email etc.
c) control-plane cef focuses on non-IP packets e.g. CDP, ARP etc.
With this in mind, you might wanna expand your knowledge in depth, by reading this Cisco document http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html
P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED. -
Control Plane Protection (Policing) configuration on Catalyst 3850
I need to block ICMP requests from being received by the switch. And there is no 'control-plane' configuration mode, which I was going to use for this.
How can I configure this feature or apply another for my purpose?Greetings,
How about on the 3725 router?
A couple specific questions I have while configuring the portion for IGPs.
Here is a couple snips of example configurations I'm finding on the Internet, that I have questions on.
1. Cisco CoPP Best Practicesaccess-list 120 permit ospf any
access-list 120 permit ospf any host 224.0.0.5
access-list 120 permit ospf any host 224.0.0.6
2. Deploying Cisco Control Plane Policing
ip access-list extended coppacl-igp remark CoPP IGP traffic class
! permit OSPF permit ospf any host 224.0.0.5
permit ospf any host 224.0.0.6 permit ospf any any
3. RFC6192
ip access-list extended OSPF
permit ospf 192.0.2.0 0.0.0.255 any
Questions - Which optionis better?
- Is the network specified in option #3, the network statement under the OSPF process,
or the actual network I'm routing?
- If option #1 is better, what is the "router receive block" mentioned?
Thank you for your assistance!!
Debbie -
Control Plane Protection (CPPr) and Traffic Rates
Hi Everybody,
currently I'm working on implement policies according to the CPPr but a couple of questions comes to my mind:
1. Is there any standard to start policing the Management traffic (SSH, SNMP, Telnet, etc)??
2. How can I identify the current rates for the management protocols in order to Policy them??
I understand how the MQC works and for sure understand the the CPPr optiones and benefits but I cannot find a way to start using it in my network or tuning it for my needs.
Kind Regards,
Jose-Manuel CortesBTW, don't know why but the **** above should have read k - n - o - b. Probably the decorum police checking in...
-
What snmp OID to use to monitor control-plane of router
Hi there!
I've applied policy-maps on control-plane, based on cisco recomandation.
Now i need to know, what snmp OID i've to use to monitor them (i'm using zabbix)
Let me know.
Regards!If you are using IOS which uses a policy-map to configure Control Plane Policing then you are asking in the wrong place as this forum is for IOS-XR not IOS but you can poll objects in the CISCO-CLASS-BASED-QOS-MIB::cbQosPoliceStatsTable (for example cbQosCMDropByte64, cbQosPoliceExceededByte64, cbQosPoliceConformedByte64).
If you mean you have changed the LPTS policers to help protect the control-plane in IOS-XR then I believe there is currently no support for polling the counters via SNMP. See the section on monitoring in Xander's document https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp -
please does anyone understand the diference in using a class-map of type que-threshold and using a default class-map with que-limit in the policy-map???
class-map type queue-threshold match-all http-que
match protocol http
policy-map type queue-threshold http-que
class http-que
que-limit 100
class-map match-all http
match access-group name http
policy-map http
class http
bandwidth 100000
queue-limit 100The type queue-limit will be matching http packets that are for the router management.
If you set a queue-limit under a regular class-map you are matching http traffic that is routed through the traffic.
In other words CPP queue limit protects the control-plane (router management) queue from getting full and DoS the router or locking someone out.
Regular class-map is for traffic through the routers.
I hope it helps.
PK -
Control Plane Policing (CoPP) for Data Center
Hi All,
I am planning to apply CoPP on different routers and switches of Data Center. This Data Center comprises of Cisco 6513 (VSS), Catalyst 3750, Cisco 3845 and Cisco 2811.
My question are:
1. Do we have to apply CoPP on Catalyst 3750, as these are DMZ switches only?
2. How to find the packet processing rate from router and switches?
3. Any best practices CoPP template for routers running OSPF and BGP?
Thanks and Regards,
Ahmed.1. You would need to apply CoPP to all routers/switches that are
manageable from untrusted sites. So even if you have non-DMZ switches
that will be able to be telneted to from the outside for example,
CoPPing them would be helpful for you.Do we not need to apply
CoPP on switches and routers that are not telneted from outside?
Control plan traffic is traffic that goes to the control plane of the router like management traffic, snmp etc. If there is a firewall securing you from the outside I would feel my switches are more secure and it is not easy to bring them to their knees with an attacker doing too much from the outside. Control plane policing applies to all control plane traffic, but it is mostly against outsiders that someone would try to protect himself.
2. "sh proc
cpu" would give you some insight for processes like ssh or telnet and
how much the take. Not control packet rate processing though.I
want to know the maximum packet processing rate of a router or switch?
I don't think you will be able to pull that number.
3. Depends
on how powerful the router is, how many commands you are running, how
much route processing is going on.Best practice for a router
running OSPF with 200 routes?
Don't know of any.
PK -
Wanted to update the software now available, but it is asking for a pass code. As far as I remember in didn't put in any pass code , how do I settle this issue . Earlier updates were asking Apple ID but pass code for updating the new soft ware not known.
Hello Kewal,
Thank you for the details of the issue you are experiencing when trying to perform an update. I recommend trying to update using iTunes, and as always, it is a good idea to make a backup first.
iOS: Back up and restore your iOS device with iCloud or iTunes
http://support.apple.com/kb/ht1766
Update your iPhone, iPad, or iPod touch
http://support.apple.com/kb/ht4623
Thank you for using Apple Support Communities.
Best,
Sheila M. -
I have a macbook and I'm having trouble backing up my pictures on an external hard drive. The Macbook won't install the backup drive soft ware? It is a new Sea Gate hard rive from costco.
You don't want to install the software that came with the drive, you don't need it and it will be problematic. Connect the new drive, open Disk Utility, select the new drive and partition it using the GUID partition scheme, then format it as Mac OS extended journaled and it will be easy to use with your Mac.
-
my phone has been losing calls and according to the apple store i need to reset it due to a software fault - i have done this and still have the same problems. how do i reset the phone without reinstalling the soft ware fault by way of icloud backup
Well, it appears that your backup is corrupt, thus causing your issue. So, you'll have to restore as a new device, & not from backup. Follow this by syncing your content back to your phone:
http://support.apple.com/kb/ht1414
Do not restore from backup. -
My iphone was stolen and my mother gave me her 3GS, however she never updated the soft ware. It is on 3.13 and will not update to IOS 5. Help!
How about the issues with 3.1.3 on the 3GS?
3.1.3 battery problem
OS 3.1.3 battery issues
3.1.3 upgrade - shortened battery life?
Battery life cut after 3.1.3 update on iPhone 3G
3.1.3 Firmware is a battery killer - how do I back out this upgrade?
Some users have problems with any release. iOS 5 is no different, not better, not worse. -
I have a 10.5.8 and would need to know how to upgrade the soft ware ? . or do I need to buy a new computer.
Back up your data, click here, and read the entire page. Mac OS X 10.7 and newer don't support PowerPC software such as Microsoft Office 2004.
(106103) -
when I bought mac it came with garage band had to cleanup computer so reloaded all soft ware now cant find garage band or reload windows xp
richardfromdes plaines wrote:
now cant find garage band
reinstall it:
http://www.bulletsandbones.com/GB/GBFAQ.html#reinstallgb
(Let the page FULLY load. The link to your answer is at the top of your screen) -
I had a trouble with my lap top and had to format hard disk and install all soft ware again. could any body tell me how to transfer the application and data in my i phone back to itune.
You can't. It still thinks that your iPhone is synced with another iTunes library (the one that you had before you reformatted the hard drive.
-
What is the Control Plans functionality in cProjects used for?
Hi Folks,
What is the purpose and usage of control plans in cProjects? Is this useful in an environment where QM is not implemented? Appreciate if somebody could provide an example of how this functionality will be useful from a project management standpoint. I am on cProjects 4.5.
Cheers,
LashanHi,
the control plan functionality in cProjects is deprecated, see SAP Note 1114207:
Using the control plans is not recommended because with new
developments in SAP PLM Quality Management (QM). cProjects
remains the preferred project management solution, but all QM
aspects that are not directly related to project management
should be managed in SAP ERP.
Kind regards,
Florian
Maybe you are looking for
-
Within Internet Explorer you can click on a little arrow next to the homepage icon and a dropdown appears with a list of your homepages (I have 5). So if I want to quickly check my facebook or e-mail I can click on it and then on whichever I want to
-
XML Loaded Text Inconsistently Displays Apostrophe
i have a number of dynamic text fields, all of which have text loaded from their respective xml files. one of the menu items includes an apostrophe. that apostrophe shows up in one area of the site but not in another where it is replaced by ' . these
-
Fireworks won't open in Lion, says it's a PowerPC application?
Hi. I'm trying to open Adobe Fireworks CS5 in Lion OS X 10.7.2. However, Lion won't open it? Any thoughts? I searched the Web some, and found something about Lion's dropping of Rosetta support, but this is an Intel Application (as you can see in the
-
Problems while importing SAP Content
Hi, we actually import some content provided by SAP for German VAT (Elster). Now the import works fine, but when I click on some elements f.e. message mapping XI result with error: Target message Message Type: VATDeclarationConfirmation does not exis
-
I'm looking for a remote to control certain programs on a computer from across the room. I, however, need it to meet certain requirements: 1- Works through USB on both PC and Mac 2- I frequently do presentations at school (pc based) so it should pref