Thanks, TacAck.
This will certainly help. On your last bullet-point I saw that port-filter can only be applied to the control-plane host interface, which forms part of "Management plane protection". Can you give more examples of "management plane protection". Thanks Johan From: Vybhav Ramachandran [mailto:[email protected]] Sent: 22 November 2010 06:01 AM To: Johan Bornman; OSL Security Subject: Re: [OSL | CCIE_Security] Control-plane Hello Johan, You might have already gone through this, but http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_polic ng_external_docbase_0900e4b1805eee4d_4container_external_docbase_0900e4b180d d87e0.html is a good reference to read about the Control-plane. About the control-plane subinterfaces -> http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_prot_ ps6441_TSD_Products_Configuration_Guide_Chapter.html is a good reference document. Regarding which interface to use when configuring, i would look for clues in the question itself. Here are the possible scenarios i see : * For applying service-policies on the "transit" sub-interface, the question will usually indicate that. * For applying service-policies on the "cef-exception" sub-interface, all you have to do is look at the traffic that needs to blocked and see if it matches the traffic which is being processed by the cef-exception subif ( ex : L2 traffic, ARP, etc ) * The issue i usually face is when it comes to deciding between the Global "CONTROL PLANE" , or the sub-interface "control-plane HOST " * For this, again, if the question specifically asks you to apply it in the control-plane subinterface, i would do that. * Otherwise i would just go ahead and apply it on the global-control plane. * Ex: If the question asked us to block all telnet traffic to the router from a particular IP/Subnet and if the question did not include any specific details about applying it on the control-plane "host" subinterface, i would just put in the global-control plane. * But there are some features (ex : Mangement plane protection ) which have to be applied only the "host" subinterface. That should be easy to do because there's no other way to do it. Hope this helps! Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
