Hi PJ CPPr requires cef, if you disable cef, all the three CPPr sub-interfaces are disabled and you will see the the following message on the console:
On contrast CoPP can work without CEF. I am looking for a feature or traffic that uses process switch with CEF enabled on the router. router2(config)#no ip cef router2(config)# Nov 13 12:17:09.667: %CP-4-CPPR_DISABLED: Removing security features on host, tr ansit and cef-exception paths router2(config)# router2(config)# Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled from Control plane host path Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled from Control plane transit path Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled from Control plane cef-exception path With regards Kings On Mon, Nov 15, 2010 at 2:05 PM, Pieter-Jan Nefkens < [email protected]> wrote: > Hi kings, > > You can disable cef completely by using global config (issue 3) > > No ip cef > > You can also use it on interfaces do disable the hardware entries > No ip route-cache flow > > Hth > > Pj > > > Sent from my iPad > > On 15 nov. 2010, at 08:59, Kingsley Charles <[email protected]> > wrote: > > Hi all > > I am trying to block fragmented packets to control plane (both CoPP & > CPPr). Adding one more issue. > > *Issue 1* > > I wanted to simulate fragmented session. > > Let me admit that using ICMP to test CPPr host sub-interface doesn't > seem to be the right way. You need to test with TCP or UDP applications as > CPPr only handles TCP and UDP traffic. > > > > And the other thing I observed is that fragmented ICMP packets doesn't > come into CoPP and is just allowed > > So I tried copying a file of size 2250 KB using ftp, tftp and also > viewed a running config greater 2000 Bytes of another router from my router > that was configured for control plane. > > But none of them seem to be generating fragmented packets. > > I tried configuring the following ACL on the receiving interface to see > for fragmented packets but I didn't see the counters increasing for first > ACE with frag keyword > > access-list 123 permit ip any any fragments > access-list 123 permit ip any any > > Is there something wrong in the way of my simulation for generating > fragmented packets for ftp, tftp and telnet? > > > *Issue 2* > > To get the simulation work, I launched the home page of the router > using a browser and in that I used the extended Ping utility. I self pinged > with size of 2000 bytes and I was able to see the results. The Pings are > sent through HTTP and HTTP which is TCP application is being fragmented. > Hence, I get a simulated fragmented TCP packets to the control plane. > > > class-map match-all frag > match access-group 123 > > policy-map frag > class frag > drop > > > access-list 123 permit ip any any fragments > > If I apply the policy to CoPP, it works. The fragmented packets are > getting dropped. > > control-plane > service-policy input frag > > > If I apply the policy to CPPr host sub-interface. The fragmented > packets are not getting dropped rather all the fragmented packets are > classified in the default class which means control plane host doesn't > match fragmented packets. > > control-plane host > service-policy input frag > > router2#sh policy-map control-plane host > Control Plane Host > > Service-policy input: frag > > Class-map: frag (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: access-group 123 > drop > > Class-map: class-default (match-any) > 127 packets, 13237 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: any > > * Why isn't control plane host sub-interface handle fragmented packets?* > > > *Issue 3* > > I am trying block fragmented packets using transit plane. > > The transit sub-interface only deals with process switched traffic. Hence I > put a router behind the router configured for the control transit plane and > cleared the arp-cache. Now I tried to ping that router which is behind and > since there is no ARP cache, thereby do CEF table populated, the router > configured for control plane process switches the Ping and hence, I get a > simulated process switched ping. > > But I am not able to continue with this process switched ping with > fragmented packets as there is no ARP. Once I configure ARP manually, the > CEF table is built and fragmented packets are CEF switched, thereby > permitted > > Can someone tell me a way to test fragmented process switch traffic across > the transit sub-interface. > > > > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit <http://www.ipexpert.com>www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
