Hi all
I am trying to block fragmented packets to control plane (both CoPP & CPPr).
Adding one more issue.
*Issue 1*
I wanted to simulate fragmented session.
Let me admit that using ICMP to test CPPr host sub-interface doesn't
seem to be the right way. You need to test with TCP or UDP applications as
CPPr only handles TCP and UDP traffic.
And the other thing I observed is that fragmented ICMP packets doesn't
come into CoPP and is just allowed
So I tried copying a file of size 2250 KB using ftp, tftp and also
viewed a running config greater 2000 Bytes of another router from my router
that was configured for control plane.
But none of them seem to be generating fragmented packets.
I tried configuring the following ACL on the receiving interface to see
for fragmented packets but I didn't see the counters increasing for first
ACE with frag keyword
access-list 123 permit ip any any fragments
access-list 123 permit ip any any
Is there something wrong in the way of my simulation for generating
fragmented packets for ftp, tftp and telnet?
*Issue 2*
To get the simulation work, I launched the home page of the router using
a browser and in that I used the extended Ping utility. I self pinged with
size of 2000 bytes and I was able to see the results. The Pings are sent
through HTTP and HTTP which is TCP application is being fragmented. Hence, I
get a simulated fragmented TCP packets to the control plane.
class-map match-all frag
match access-group 123
policy-map frag
class frag
drop
access-list 123 permit ip any any fragments
If I apply the policy to CoPP, it works. The fragmented packets are
getting dropped.
control-plane
service-policy input frag
If I apply the policy to CPPr host sub-interface. The fragmented
packets are not getting dropped rather all the fragmented packets are
classified in the default class which means control plane host doesn't
match fragmented packets.
control-plane host
service-policy input frag
router2#sh policy-map control-plane host
Control Plane Host
Service-policy input: frag
Class-map: frag (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 123
drop
Class-map: class-default (match-any)
127 packets, 13237 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
* Why isn't control plane host sub-interface handle fragmented packets?*
*Issue 3*
I am trying block fragmented packets using transit plane.
The transit sub-interface only deals with process switched traffic. Hence I
put a router behind the router configured for the control transit plane and
cleared the arp-cache. Now I tried to ping that router which is behind and
since there is no ARP cache, thereby do CEF table populated, the router
configured for control plane process switches the Ping and hence, I get a
simulated process switched ping.
But I am not able to continue with this process switched ping with
fragmented packets as there is no ARP. Once I configure ARP manually, the
CEF table is built and fragmented packets are CEF switched, thereby
permitted
Can someone tell me a way to test fragmented process switch traffic across
the transit sub-interface.
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
