Protect CPU of device
1. Remember these terms:
- C3PL: Cisco Common Classification policy language
- MPF: Modular Policy Framework
- MQC: Modular Quality of Service (Qos) Command Line Interface (CLI)
They and control plane policing use common logic to accomplish tasks
2. Common Logic to accomplish a task (e.g. rate limit incoming ICMP traffic to router) is a follows:
- Class Map:identify traffic
- e.g. look for ICMP inbound packets
- Policy Map: What to do
- e.g. rate limit it to 8000 bps
- Service Map: Where to do
- e.g. apply when traffic is inbound
3. There is a separate logical interface for control plane called control plane interface.
- Inbound traffic of router means
- a packet coming in from any interface of router (as control plane uses logical interface so packet coming in from which physical interface is irrelevant )
- a packet having destination ip address of router
Check that connection is fine
Computer
- ipconfig
- check ip address, gateway and DNS (8.8.8.8)
- ping Gateway
- Go to internet (google.com) or traceroute google.com
Firewall
- Ping <ip_address_of_connected_router_interface>
Router
- ship interface brief
- check interface are up and have correct ip address
Configure
- R1(config)#access-list 100 permit icmp any any
- R1(config)#class-map ICMP
- R1(config-cmap)#match access-group 100
- R1(config)#policy-map ICMP_POLICY
- R1(config-pmap)#class ICMP
- R1(config-pmap-c)#police 8000 conform-action transmit exceed-action drop
- R1(config)#control-plane
- R1(config-cp)#service-policy input ICMP_POLICY
Verify that policy is applied
Router
- show policy-map control-plane
Firewall
- Ping <ip_address_of_connected_router_interface>
PC
- ping -t -l 700 10.2.0.1