Hi all The CoPP can be applied outbound. My understanding is that any traffic transmitted from the control plane to outside is outbound.
The other way to interpret outbound is that traffic moving outbound from control aggregate services to control. As per my lab results, the CoPP outbound filter the outbound traffic from control plane to outside. Any thoughts? But the following snippets seems be claiming the other way around traffic moving outbound from control aggregate services to control. . Have a look at the highlighted texts. *Discrepancy in Snippet 1 * *Port which router not listening* means traffic coming to router *Discrepancy in **Snippet 2* *Trusted networks with source addresses 10.0.0.0 and 10.0.0.1 receive Internet Control Management Protocol (ICMP) port-unreachable responses. *Checkout the ACLs, this wording doesn't seem to be correct. Snippet from http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_policng_external_docbase_0900e4b1805eee4d_4container_external_docbase_0900e4b180dd87e0.html Output Rate-Limiting and Silent Mode Operation A router is automatically enabled to silently discard packets when you configure output policing on control plane traffic using the *service-policy output **policy-map-name* command. Rate-limiting (policing) of output traffic from the CP is performed in silent mode. In silent mode, a router that is running Cisco IOS software operates without sending any system messages. If a packet that is exiting the control plane is discarded for output policing, you do not receive an error message. When control plane policing is configured for output traffic, error messages are not generated in the following cases: •Traffic that is being transmitted to a port to which the router is not listening •A connection to a legitimate address and port that is rejected because of a malformed request Configuring Control Plane Policing on Output ICMP Traffic: Example The following example shows how to apply a QoS policy for aggregate CP services to Telnet traffic transmitted from the control plane. Trusted networks with source addresses 10.0.0.0 and 10.0.0.1 receive Internet Control Management Protocol (ICMP) port-unreachable responses without constraint, while allowing all remaining ICMP port-unreachable responses to be dropped: ! Allow 10.0.0.0 trusted network traffic. Router(config)# access-list 141 deny icmp 10.0.0.0 0.0.0.255 any port-unreachable ! Allow 10.0.0.1 trusted network traffic. Router(config)# access-list 141 deny icmp 10.0.0.1 0.0.0.255 any port-unreachable ! Rate-limit all other ICMP traffic. Router(config)# access-list 141 permit icmp any any port-unreachable Router(config)# class-map icmp-class Router(config-cmap)# match access-group 141 Router(config-cmap)# exit Router(config)# policy-map control-plane-out ! Drop all traffic that matches the class "icmp-class." Router(config-pmap)# class icmp-class Router(config-pmap-c)# drop Router(config-pmap-c)# exit Router(config-pmap)# exit Router(config)# control-plane ! Define aggregate control plane service for the active route processor. Router(config-cp)# service-policy output control-plane-out Router(config-cp)# end With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
