Am I missing something, Kings?
I was able to configure cef-exception to filter ARP traffic but you have to
watch for the actions that you might apply to the policy-map.
R3(config)#do sh run | begin class-map
class-map match-all ARP-CM
match protocol arp
!
!
policy-map ARP-PM
class ARP-CM
police 200000 1000
….
control-plane cef-exception
service-policy input ARP-PM
And the router reported that it applied this policing:
R3(config-cp-cef-exception)#service-policy input ARP-PM
R3(config-cp-cef-exception)#
*Nov 16 04:15:02.562: %CP-5-FEATURE: Control-plane Policing feature enabled on
Control plane cef-exception path
And I failed to “match protocol cdp” which indicate once again that Cisco
misses a well-documented list of protocols supported for every sub-interface of
control-plane protection
Eugene
From: [email protected]
[mailto:[email protected]] On Behalf Of Pieter-Jan
Nefkens
Sent: Monday, November 15, 2010 7:19 AM
To: Kingsley Charles
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] class maps for arp and cdp packets
Hi kings,
Cdp uses a special multicast mac address. You might be able to filter on a mac
access-list?
About arp, that might be a mac ethernet broadcast, but could you use fpm?
Pj
Sent from an iPhone
Op 15 nov. 2010 om 16:12 heeft Kingsley Charles <[email protected]>
het volgende geschreven:
Hi all
I want to drop ARP and CDP packets coming to router using control plane
cef-exception interface.
As you may be aware that CPPr doesn't support class maps with protocol
recognization i.e., using "match protocol"
I am not able to find options to define an ACL for CDP and ARP.
Any thoughts?
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
