Hi all I am trying to block fragmented packets to control plane (both CoPP & CPPr)
*Issue 1* I wanted to simulate fragmented session. Let me admit that using ICMP to test CPPr host sub-interface doesn't seem to be the right way. You need to test with TCP or UDP applications as CPPr only handles TCP and UDP traffic. And the other thing I observed is that fragmented ICMP packets doesn't come into CoPP and is just allowed So I tried copying a file of size 2250 KB using ftp, tftp and also viewed a running config greater 2000 Bytes of another router from my router that was configured for control plane. But none of seem to be generating fragmented packets. I tried configuring the following ACL on the receiving interface to see for fragmented packets but I didn't see the counters increasing for first ACE with frag keyword access-list 123 permit ip any any fragments access-list 123 permit ip any any Is there something wrong in the way of my simulation for generating fragmented packets for ftp, tftp and telnet? *Issue 2* To get the simulation work, I invoke lauched the home page of the router using a browser and in that I used the extended Ping utility. I self pinged with size of 2000 bytes and I was able to see the results. class-map match-all frag match access-group 123 policy-map frag class frag drop With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
