Kings,
Where did you get the statement of only UDP/TCP is supported on the host control-plane? I am curious as I am not sure about that. This is an interesting discussion. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Bruno Sent: Wednesday, May 18, 2011 1:27 PM To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] BGP, OSPF to CPPr CEF-exception subinterface My tests showed me that OSPF matched on cef-exception *Mar 1 01:51:20.383: %CP-6-IP: PERMIT 136.1.2.3 -> 224.0.0.5 ospf Simple config: policy-map type logging OSPF1 class OSPF1 log interval 500 Applied to both and hits increase on cef-exception HOST: Control plane host path counters : Feature Packets Processed/Dropped/Errors -------------------------------------------------------- Control-plane Logging 0/0/0 -------------------------------------------------------- CEF: Control plane cef-exception path counters : Feature Packets Processed/Dropped/Errors -------------------------------------------------------- Control-plane Logging 28/0/0 -------------------------------------------------------- On Wed, May 18, 2011 at 2:14 PM, Bruno <[email protected]> wrote: That trap. No idea Kings. Curious as well. Did you lab this up? It may answer that for you On Wed, May 18, 2011 at 1:03 PM, Kingsley Charles <[email protected]> wrote: If there is a task to drop OSPF packets, should we use control plane host or cef-exception sub-interface? With regards Kings On Wed, May 18, 2011 at 8:56 PM, Kingsley Charles <[email protected]> wrote: Hi all One of Control Plane Host subinterface's purpose is to control routing protocol packets incoming rate. EBGP directly connected peers and OSPF packets uses TTL of 1. Similarly all packets to 224.0.0.1 (all system multicast address) is sent with TTL with 1. Hence it seems these packets will go to CEF Exception sub-interface not to the Host Sub-interfaces. I observed OSPF falling into CEF Exception sub-interface. Just wondering why Cisco has decided to push packets of TTL = 1 to CEF-exception sub-interface. Snippet from http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_prot_ps6441_TSD_Products_Configuration_Guide_Chapter.html Control-plane host subinterface. This interface receives all control-plane IP traffic that is directly destined for one of the router interfaces. Examples of control-plane host IP traffic include tunnel termination traffic, management traffic or routing protocols such as SSH, SNMP, BGP, OSPF, and EIGRP. All host traffic terminates on and is processed by the router. Most control plane protection features and policies operate strictly on the control-plane host subinterface. Since most critical router control plane services, such as routing protocols and management traffic, is received on the control-plane host subinterface, it is critical to protect this traffic through policing and protection policies. CoPP, port-filtering and per-protocol queue thresholding protection features can be applied on the control-plane host subinterface. The control-plane host subinterface only supports TCP/UDP-based host traffic. All IP packets entering the control-plane matching any of the following conditions are not classified any further and are redirected to the cef-exception subinterface: •IP Packets with IP options. •IP Packets with TTL less than or equal to 1. With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
