Control plane topology problem

Similar Messages

• 0CO_PC_01 Cost Object Controlling: Plan/Actual Data

  Hi Experts
  I have a question regarding Cost Object Controlling: Plan/Actual Data (0CO_PC_01). I know nothing about the R/3 processes and tcodes behind this datasource.
  For a given material and a given plant do I only get records with VTYPE(Value type for Reporting) 10, but I do not understand why - I need VTYPE = 70.
  I therefore hope:
  1. That somebody could provides input on why I only get VTYPE = 10 and how I get 70 instead.
  2. That somebody can tell me the tcodes behind this datasource on the R/3 side.
  Thanks and kind regards,
  Torben

  Hi Mr. V.
  Thanks a lot for the input.
  The problem is that we have got VTYPE 30 (target) for some materials, but not for specific material A and we really do not understand why. Do you know how I can verify if the variance is present for the given material A in R/3?
  Thanks and kind regards,
  Torben
  Edited by: Torben Pedersen on Apr 3, 2009 12:00 AM
  Sorry, it is VTYPE 30 i need, not 70 as stated by mistake at first.

• ASA Control Plane

  Hello,
  I'm attempting to limit what IP addreses can connect to an ASA using the SSL VPN. I would have thought control-plane policing would have worked, however it did not.
  Here is what I configured:
  access-list vpn_control extended permit tcp object-group allowed_clients interface outside
  access-group vpn_control in interface outside control-plane
  any suggestions would be appreciated.
  Thanks!

  I'm having a problem which I think is described here.  I would essentially like to whitelist networks for ssl anyconnect vpn access.  I understand that the anyconnect client would attempt a connection to my outside interface on 443 and that it would be considered "to the box traffic" which would bypass the interface ACL's. I set up an acl to deny traffic from a specific test network to test the control plane option.  At first I tried 443 traffic and later expanded it to a deny any from the external network, but in either case I was still able to VPN to the asa from this test network using the anyconnect client.  I assume this has something to do with management traffic having priority and not distiguishing between managment traffic destined for /admin and ssl vpn connections.  However, I do not have the outside interface enabled as a management interface, so even that is a little puzzling.
  access-list outside_access_in_1 extended deny ip object test_network any
  access-list outside_access_in_1 extended permit ip any any
  access-group outside_access_in_1 in interface outside control-plane
  If I do a packet trace for 443 traffic from that network to my outside interface IP it does show the traffic passing and the ACL section specifically shows it passing via implicit rule...

• What is the Control Plans functionality in cProjects used for?

  Hi Folks,
  What is the purpose and usage of control plans in cProjects? Is this useful in an environment where QM is not implemented? Appreciate if somebody could provide an example of how this functionality will be useful from a project management standpoint. I am on cProjects 4.5.
  Cheers,
  Lashan

  Hi,
  the control plan functionality in cProjects is deprecated, see SAP Note 1114207:
  Using the control plans is not recommended because with new  
  developments in SAP PLM Quality Management (QM). cProjects   
  remains the preferred project management solution, but all QM
  aspects that are not directly related to project management  
  should be managed in SAP ERP.                                
  Kind regards,
     Florian

• Control Plane and Data Plane

  Hi there,
  I'm trying to figure out how to determine and how to differentiate between control plane and data plane especially in troubleshooting MPLS VPN. Any keyword that distinguish between them? It seems to be confusing for a newbie here :)
  Thanks in advance.
  maher

  Hi Maher,
  The control plane is simply the set of processes that are responsible for disseminating information on routes, labels etc within a network. This includes routing protocols whose job is to communicate information on routes between different routers. The information provided by these protocols is then used to building routing/forwarding tables.
  The data plane is simply an abstraction used to describe the actual flow of data packets using paths determined by the control plane. The control plane traffic carries control traffic (which is not end-user data) whereas the data plane traffic is actual end-user data.
  There is no single command that you can use to distinguish between the two. The commands you have on a router that can be used to view control plane operation are as such:
  sh ip route
  sh ip cef
  sh ip bgp ...
  sh ip ospf ...
  sh mpls forwarding-table...
  etc... and many, many more
  Typically, there isn't a clear demarcation between commands that display control plane info and those that display data plane information... You could use commands such as the following to get some idea of data traffic flowing through a router:
  sh interfaces
  sh policy-map interface
  etc.
  Hope that helps - pls rate the post if it does.
  Paresh

• CProjects- Control Plan

  Hi All,
  I am working on cProjects. When I assign the control plan on the Project definition it is created. I can create the process & assign the tools & characteritics. But in the additional data for characteristics the fields are greyed. Example ; I do want the unit k, lower & higher values for characterist temp but it is greyed out.
  Is there any setting required for transfer to SAP R/3 as inspection plan.
  Help requrd.
  RAMU

  Go to Characteristics ‘CT04’ or ‘CT02’
  Go to Additional Data Tab---- enter TABLE which you want use , enter FIELD values
  Enter document details below
  Save transaction
  Enjoy SAP…….!!!!!!

• How to map,e.g. conceptual control plane to physical element?

  Route processor = control plane (customer, provider) in layer 3
  Line card = data plane in layer 2& layer 3
  where is management plane?
  Thanks

  Hi
  When you configure MP you can see the logging for same . The log you will get
  Aug  2 15:25:32.846: %CP-5-FEATURE: Management-Interface feature enabled on Control plane
  host path
  It shows that the MP work over Control plane. Means in Route processor  the MP will take palce.
  Regards
  Chetan Kumar

• Control plane policing

  please does anyone understand the diference in using a class-map of type que-threshold and using a default class-map with que-limit in the policy-map???
  class-map type queue-threshold match-all http-que
       match  protocol http
  policy-map type  queue-threshold http-que
       class http-que
       que-limit 100
  class-map match-all http
  match access-group name http
  policy-map http
  class http
     bandwidth 100000
     queue-limit 100

  The type queue-limit will be matching http packets that are for the router management.
  If you set a queue-limit under a regular class-map you are matching http traffic that is routed through the traffic.
  In other words CPP queue limit protects the control-plane (router management) queue from getting full and DoS the router or locking someone out.
  Regular class-map is for traffic through the routers.
  I hope it helps.
  PK

• Control-plane protection| soft ware hardware counters

  Hi everybody
  Today I noticed something stange at work. I was looking at how we implemented a policy to drop ICMPS hitting our processor after certains constraints are met.
  cisco#show running-config | begin control-plane
  control-plane
  service-policy input copp-aggregated
  +++++++++++++++++++++++
  Policy defination:
  policy-map copp-aggregated
  class cpp-icmp
     police cir 5000000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop
  class-map match-all cpp-icmp
    match access-group name cpp-icmp
  cisco#show ip access cpp-icmp
  Extended IP access list cpp-icmp
      10 permit icmp any any (156222580 matches)
  ++++++++++++++++++++++++++++++
  cisco#show policy-map control-plane
   Control Plane Interface
  Service-policy input: copp-aggregated
  Hardware Counters:
      class-map: cpp-icmp (match-all)
        Match: access-group name cpp-icmp
        police :
          5000000 bps 93000 limit 93000 extended limit
        Earl in slot 5 :
          5295068971 bytes
          5 minute offered rate 9528 bps
          aggregate-forwarded 5259145173 bytes action: transmit
          exceeded 35923798 bytes action: drop
          aggregate-forward 9936 bps exceed 0 bps
    Software Counters:
      Class-map: cpp-icmp (match-all)
        99672582 packets, 14936584392 bytes
        5 minute offered rate 11000 bps, drop rate 0 bps
        Match: access-group name cpp-icmp
        police:
            cir 5000000 bps, bc 93750 bytes, be 187500 bytes
          conformed 99672950 packets, 14936253164 bytes; action: transmit
          exceeded 289 packets, 422518 bytes; action: drop
          violated 0 packets, 0 bytes; action: drop
          conformed 13000 bps, exceed 0 bps, violate 0 bps
  +++++++++++++++++++++++++++++++++++
  I can see " software counters' just show the constraints defined under policy "  copp-aggregated", how did we end up with hardware counters ?
  Hardware counters shows " 5000000 bps 93000 limit 93000 extended limit"  which we never defined that anywhere.
  I appreciate your help
  Thanks

  BTW, don't know why but the **** above should have read k - n - o - b.  Probably the decorum police checking in...

• Control-plane policing on ML Card

  Hi All,
  We are experiencing high CPU utilization on one of our ML Card in the ONS 15454. The "IP Input" has relatively higher CPU utilization consumed irrespective of the proper fast/CEF switching enabled on the interfaces. We are trying to figure out,whether there is an attack to the control-plane or even any IP Packets destined local to the ML Card,which is causing those packet to process switched.
  In order to figure that,we thought we may try to use Control plance policing on the control-plane but it seems not taking the service-policy associated with that. Is this feature supported in the ML card or any other suggestion would be really appreciated.
  Thanks
  Regards
  Anantha Subramanian Natarajan

  Try the "clear ip mroute" command on the ML card with high cpu usage and check for the issue. Ml card having a large number of mac address traffic can also cause high cpu usage.In very large bridged networks, which may connect directly to 1000s of layer-3 devices, it may also be wise to increase the MAC table limit above the default of 1000 MAC addresses. This is done with the configuration command:
  bridge X limit dynamic entries 10000

• Control plane protection

  Hi guys,
  I want to implement control plane protection for fragmented packets. As far as i know if fragmented packet are traversing through router then service-policy will be applied at control-plane transit but if fragmented packets are destine to router itself then it will be applied at control-plane host. Correct me if i am wrong. Moreover I want to know the difference between
  Control-plane
  Control-plane host
  Control-plane transit
  Control-plane cef

  Hi Bro
  What you’re doing is good. It’s always best to block the fragmented packets at the control-plane level, rather than via the normal ACL.
  In the basic/lower feature sets IOS versions, there is no breakdown in terms of control-plane. With the advanced/higher feature sets IOS versions, you have control-plane host, control-plane transit and control-plane cef. Your next question would be when do I apply them, in what given situations, am I right? Basically, in a nutshell, here goes
  a)    control-plane host handles packets destined for router itself e.g. management traffic (telnet/ssh/tacacs+/radius) and routing traffic.
  b)    control-plane transit works on IP based packets traversing through the router e.g. internet browsing, email etc.
  c)    control-plane cef focuses on non-IP packets e.g. CDP, ARP etc.
  With this in mind, you might wanna expand your knowledge in depth, by reading this Cisco document http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html
  P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.

• Control-plane command?

  Hi, I am just looking at a Cisco 1131g AP and notice there is no control-plane command. Does anyone know why? AP is running 12.4(10b)JDA3

  Maybe they finally removed it? Correct me if I'm wrong, but I believe that control-plane commands were how one would configure legacy QoS (prior to Modular QoS Commands).
  I might be wrong, I'm a bit fuzzy on legacy stuff since I'm 'new' to the Cisco world. 12.2 was out when I first learned what Cisco was, lol.

• Control Plane Policy not allowing ssh on my 3825 router

  I have complaints for a downstream customer trying to connect to my network. He is the only one connecting to hosts via ssh. He is showing up hitting the 3rd party (Mcaffee Sidewinder Firewall) between the 2 Cisco 3825 routers but with the bytes stripped out.  I started looking at the control plane policy and believe it is the culprit. He is the only host I need to get in through the router (WAN) via this protocol/port. What do I need to change in order to allow him through?

  BTW, don't know why but the **** above should have read k - n - o - b.  Probably the decorum police checking in...

• Control Plane Policing (CoPP) for Data Center

  Hi All,
  I am planning to apply CoPP on different routers and switches of Data Center. This Data Center comprises of Cisco 6513 (VSS), Catalyst 3750, Cisco 3845 and Cisco 2811.
  My question are:
  1. Do we have to apply CoPP on Catalyst 3750, as these are DMZ switches only?
  2. How to find the packet processing rate from router and switches?
  3. Any best practices CoPP template for routers running OSPF and BGP?
  Thanks and Regards,
  Ahmed.

  1. You would need to apply CoPP to all routers/switches that are 
  manageable from untrusted sites. So even if you have non-DMZ switches 
  that will be able to be telneted to from the outside for example, 
  CoPPing them would be helpful for you.Do we not need to apply
  CoPP on switches and routers that are not telneted from outside?
  Control plan traffic is traffic that goes to the control plane of the router like management traffic, snmp etc. If there is a firewall securing you from the outside I would feel my switches are more secure and it is not easy to bring them to their knees with an attacker doing too much from the outside. Control plane policing applies to all control plane traffic, but it is mostly against outsiders that someone would try to protect himself.
  2. "sh proc
  cpu" would give you some  insight for processes like ssh or telnet and
  how much the take. Not  control packet rate processing though.I
  want to know the maximum packet processing rate of a router or switch?
  I don't think you will be able to pull that number.
  3. Depends
  on how powerful the  router is, how many commands you are running, how
  much route processing  is going on.Best practice for a router
  running OSPF with 200 routes?
  Don't know of any.
  PK

• Do you know a unicast protocol for the Ethernet control plane?

  Hi,
  Does anyone know a protocol for the Ethernet control plane which has a unicast destination address?
  MVRP, MMRP, MSTP, RSTP, all these protocols have a multicast reserved destination address.
  Perhaps we have to look non-802.1Q control plane protocols.
  Best regards,
  Michel

  Hi Peter,
  > I wonder if any of the OAM protocols, especially the one providing the loopback/ping test is unicast-based.
  In G.8013 (07/2011) section 7.3:
  "The Ethernet loopback function (ETH-LB) is used to verify connectivity of a MEP with a MIP or
  peer MEP(s). There are two ETH-LB types:
  • Unicast ETH-LB.
  • Multicast ETH-LB".
  > In any case, think of LOOP frames sent by Catalyst switches to detect  self-looped ports. In these frames,
  > the source and destination MAC  address are set to the unicast MAC of the egress port.
  As I said above, it's a good case for my little study.
  The LOOP frame, from Cisco, was certainly interesting and important before 2004.
  Since 802.3ah-2004 we have the OAM remote loopback (in link OAM, and not network OAM as ETH-LB).
  Best regards,
  Michel