In this simple example we will test Cisco IOS Control Plane Policing.We will deny telnet by this configuration example.
Here is the configuration:
access-list 101 permit tcp any any eq telnet
class-map match-all telnet
match access-group 101
!
!
policy-map copp
class telnet
drop
!
control-plane
service-policy input copp
Lets test telnet from a router before we enable control plane policing:
R2#telnet 10.10.10.1
Trying 10.10.10.1 ... Open
User Access Verification
Password:
R1>exit
After we enable the control plane policing configuration:
R2#telnet 10.10.10.1
Trying 10.10.10.1 ...
% Connection timed out; remote host not responding
R1#show policy-map control-plane
Control Plane
Service-policy input: copp
Class-map: telnet (match-all)
4 packets, 240 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 101
drop
Class-map: class-default (match-any)
8 packets, 2527 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
We see that telnet traffic matches class-map name of telnet and this traffic drops.
Here is the configuration:
access-list 101 permit tcp any any eq telnet
class-map match-all telnet
match access-group 101
!
!
policy-map copp
class telnet
drop
!
control-plane
service-policy input copp
Lets test telnet from a router before we enable control plane policing:
R2#telnet 10.10.10.1
Trying 10.10.10.1 ... Open
User Access Verification
Password:
R1>exit
After we enable the control plane policing configuration:
R2#telnet 10.10.10.1
Trying 10.10.10.1 ...
% Connection timed out; remote host not responding
R1#show policy-map control-plane
Control Plane
Service-policy input: copp
Class-map: telnet (match-all)
4 packets, 240 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 101
drop
Class-map: class-default (match-any)
8 packets, 2527 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
We see that telnet traffic matches class-map name of telnet and this traffic drops.
No comments:
Post a Comment