Tried that too PJ but that also doesn't work . There should be protocols that uses process switching with cef configured otherwise why would Cisco have a transit interface for CPPr?
With regards Kings On Mon, Nov 15, 2010 at 8:42 PM, Pieter-Jan Nefkens < [email protected]> wrote: > Hi kings, > > What if you enable cef globally but disable on an ingress interface? > > Pj > > Sent from an iPhone > > Op 15 nov. 2010 om 15:33 heeft Kingsley Charles < > [email protected]> het volgende geschreven: > > Hi PJ > > CPPr requires cef, if you disable cef, all the three CPPr sub-interfaces > are disabled and you will see the the following message on the console: > > On contrast CoPP can work without CEF. > > I am looking for a feature or traffic that uses process switch with CEF > enabled on the router. > > router2(config)#no ip cef > router2(config)# > Nov 13 12:17:09.667: %CP-4-CPPR_DISABLED: Removing security features on > host, tr > ansit and cef-exception paths > router2(config)# > router2(config)# > Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled > from > Control plane host path > > Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled > from > Control plane transit path > > Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled > from > Control plane cef-exception path > > > With regards > Kings > > On Mon, Nov 15, 2010 at 2:05 PM, Pieter-Jan Nefkens > <<[email protected]> > [email protected]> wrote: > >> Hi kings, >> >> You can disable cef completely by using global config (issue 3) >> >> No ip cef >> >> You can also use it on interfaces do disable the hardware entries >> No ip route-cache flow >> >> Hth >> >> Pj >> >> >> Sent from my iPad >> >> On 15 nov. 2010, at 08:59, Kingsley Charles <<[email protected]> >> [email protected]> wrote: >> >> Hi all >> >> I am trying to block fragmented packets to control plane (both CoPP & >> CPPr). Adding one more issue. >> >> *Issue 1* >> >> I wanted to simulate fragmented session. >> >> Let me admit that using ICMP to test CPPr host sub-interface doesn't >> seem to be the right way. You need to test with TCP or UDP applications as >> CPPr only handles TCP and UDP traffic. >> >> >> >> And the other thing I observed is that fragmented ICMP packets doesn't >> come into CoPP and is just allowed >> >> So I tried copying a file of size 2250 KB using ftp, tftp and also >> viewed a running config greater 2000 Bytes of another router from my router >> that was configured for control plane. >> >> But none of them seem to be generating fragmented packets. >> >> I tried configuring the following ACL on the receiving interface to >> see for fragmented packets but I didn't see the counters increasing for >> first ACE with frag keyword >> >> access-list 123 permit ip any any fragments >> access-list 123 permit ip any any >> >> Is there something wrong in the way of my simulation for generating >> fragmented packets for ftp, tftp and telnet? >> >> >> *Issue 2* >> >> To get the simulation work, I launched the home page of the router >> using a browser and in that I used the extended Ping utility. I self pinged >> with size of 2000 bytes and I was able to see the results. The Pings are >> sent through HTTP and HTTP which is TCP application is being fragmented. >> Hence, I get a simulated fragmented TCP packets to the control plane. >> >> >> class-map match-all frag >> match access-group 123 >> >> policy-map frag >> class frag >> drop >> >> >> access-list 123 permit ip any any fragments >> >> If I apply the policy to CoPP, it works. The fragmented packets are >> getting dropped. >> >> control-plane >> service-policy input frag >> >> >> If I apply the policy to CPPr host sub-interface. The fragmented >> packets are not getting dropped rather all the fragmented packets are >> classified in the default class which means control plane host doesn't >> match fragmented packets. >> >> control-plane host >> service-policy input frag >> >> router2#sh policy-map control-plane host >> Control Plane Host >> >> Service-policy input: frag >> >> Class-map: frag (match-all) >> 0 packets, 0 bytes >> 5 minute offered rate 0 bps, drop rate 0 bps >> Match: access-group 123 >> drop >> >> Class-map: class-default (match-any) >> 127 packets, 13237 bytes >> 5 minute offered rate 0 bps, drop rate 0 bps >> Match: any >> >> * Why isn't control plane host sub-interface handle fragmented packets? >> * >> >> >> *Issue 3* >> >> I am trying block fragmented packets using transit plane. >> >> The transit sub-interface only deals with process switched traffic. Hence >> I put a router behind the router configured for the control transit plane >> and cleared the arp-cache. Now I tried to ping that router which is behind >> and since there is no ARP cache, thereby do CEF table populated, the router >> configured for control plane process switches the Ping and hence, I get a >> simulated process switched ping. >> >> But I am not able to continue with this process switched ping with >> fragmented packets as there is no ARP. Once I configure ARP manually, the >> CEF table is built and fragmented packets are CEF switched, thereby >> permitted >> >> Can someone tell me a way to test fragmented process switch traffic across >> the transit sub-interface. >> >> >> >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit <http://www.ipexpert.com> <http://www.ipexpert.com>www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
