Use FPM
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, November 15, 2010 10:26 AM To: Pieter-Jan Nefkens Cc: OSL Security Subject: Re: [OSL | CCIE_Security] Controlling fragmented packets to control plane Tried that too PJ but that also doesn't work . There should be protocols that uses process switching with cef configured otherwise why would Cisco have a transit interface for CPPr? With regards Kings On Mon, Nov 15, 2010 at 8:42 PM, Pieter-Jan Nefkens <[email protected]> wrote: Hi kings, What if you enable cef globally but disable on an ingress interface? Pj Sent from an iPhone Op 15 nov. 2010 om 15:33 heeft Kingsley Charles <[email protected]> het volgende geschreven: Hi PJ CPPr requires cef, if you disable cef, all the three CPPr sub-interfaces are disabled and you will see the the following message on the console: On contrast CoPP can work without CEF. I am looking for a feature or traffic that uses process switch with CEF enabled on the router. router2(config)#no ip cef router2(config)# Nov 13 12:17:09.667: %CP-4-CPPR_DISABLED: Removing security features on host, tr ansit and cef-exception paths router2(config)# router2(config)# Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled from Control plane host path Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled from Control plane transit path Nov 13 12:17:09.667: %CP-5-FEATURE: Control-plane Policing feature disabled from Control plane cef-exception path With regards Kings On Mon, Nov 15, 2010 at 2:05 PM, Pieter-Jan Nefkens <[email protected]> wrote: Hi kings, You can disable cef completely by using global config (issue 3) No ip cef You can also use it on interfaces do disable the hardware entries No ip route-cache flow Hth Pj Sent from my iPad On 15 nov. 2010, at 08:59, Kingsley Charles <[email protected]> wrote: Hi all I am trying to block fragmented packets to control plane (both CoPP & CPPr). Adding one more issue. Issue 1 I wanted to simulate fragmented session. Let me admit that using ICMP to test CPPr host sub-interface doesn't seem to be the right way. You need to test with TCP or UDP applications as CPPr only handles TCP and UDP traffic. And the other thing I observed is that fragmented ICMP packets doesn't come into CoPP and is just allowed So I tried copying a file of size 2250 KB using ftp, tftp and also viewed a running config greater 2000 Bytes of another router from my router that was configured for control plane. But none of them seem to be generating fragmented packets. I tried configuring the following ACL on the receiving interface to see for fragmented packets but I didn't see the counters increasing for first ACE with frag keyword access-list 123 permit ip any any fragments access-list 123 permit ip any any Is there something wrong in the way of my simulation for generating fragmented packets for ftp, tftp and telnet? Issue 2 To get the simulation work, I launched the home page of the router using a browser and in that I used the extended Ping utility. I self pinged with size of 2000 bytes and I was able to see the results. The Pings are sent through HTTP and HTTP which is TCP application is being fragmented. Hence, I get a simulated fragmented TCP packets to the control plane. class-map match-all frag match access-group 123 policy-map frag class frag drop access-list 123 permit ip any any fragments If I apply the policy to CoPP, it works. The fragmented packets are getting dropped. control-plane service-policy input frag If I apply the policy to CPPr host sub-interface. The fragmented packets are not getting dropped rather all the fragmented packets are classified in the default class which means control plane host doesn't match fragmented packets. control-plane host service-policy input frag router2#sh policy-map control-plane host Control Plane Host Service-policy input: frag Class-map: frag (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 123 drop Class-map: class-default (match-any) 127 packets, 13237 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Why isn't control plane host sub-interface handle fragmented packets? Issue 3 I am trying block fragmented packets using transit plane. The transit sub-interface only deals with process switched traffic. Hence I put a router behind the router configured for the control transit plane and cleared the arp-cache. Now I tried to ping that router which is behind and since there is no ARP cache, thereby do CEF table populated, the router configured for control plane process switches the Ping and hence, I get a simulated process switched ping. But I am not able to continue with this process switched ping with fragmented packets as there is no ARP. Once I configure ARP manually, the CEF table is built and fragmented packets are CEF switched, thereby permitted Can someone tell me a way to test fragmented process switch traffic across the transit sub-interface. With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
