Sent it partial mail by mistake. Here is the complete mail With regards Kings
On Mon, Nov 15, 2010 at 12:49 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > I am trying to block fragmented packets to control plane (both CoPP & CPPr) > > > *Issue 1* > > I wanted to simulate fragmented session. > > Let me admit that using ICMP to test CPPr host sub-interface doesn't seem > to be the right way. You need to test with TCP or UDP applications as CPPr > only handles TCP and UDP traffic. > > And the other thing I observed is that fragmented ICMP packets doesn't come > into CoPP and is just allowed > > So I tried copying a file of size 2250 KB using ftp, tftp and also viewed a > running config greater 2000 Bytes of another router from my router that was > configured for control plane. > > But none of them seem to be generating fragmented packets. > > I tried configuring the following ACL on the receiving interface to see for > fragmented packets but I didn't see the counters increasing for first ACE > with frag keyword > > access-list 123 permit ip any any fragments > access-list 123 permit ip any any > > *Is there something wrong in the way of my simulation for generating > fragmented packets for ftp, tftp and telnet?* > > > > *Issue 2* > > To get the simulation work, I invoke launched the home page of the router > using a browser and in that I used the extended Ping utility. I self pinged > with size of 2000 bytes and I was able to see the results. The Pings are > sent through HTTP and HTTP which is TCP application is being fragmented. > Hence, I get a simulated fragmented TCP packets to the control plane. > > class-map match-all frag > match access-group 123 > > policy-map frag > class frag > drop > access-list 123 permit ip any any fragments If I apply the policy to CoPP, it works. The fragmented packets are getting dropped. control-plane service-policy input frag If I apply the policy to CPPr host sub-interface, it works. The fragmented packets are not getting dropped rather all the fragmented packets are classified in the default class which means control plane host doesn't match fragmented packets. control-plane host service-policy input frag router2#sh policy-map control-plane host Control Plane Host Service-policy input: frag Class-map: frag (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 123 drop Class-map: class-default (match-any) 127 packets, 13237 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Why isn't control plane host sub-interface handle fragmented packets? > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
