Protecting Router against malicious traffic. ( Spoofed SNMP or SSH Trafic)
! Create Access List Match SNMP and SSH
R1(config)#ip access-list extended LIMIT-ACL
R1(config-ext-nacl)#permit udp any any eq snmp
R1(config-ext-nacl)#permit udp any any eq 22
R1(config-ext-nacl)#exit
! Create Class Map
R1(config)#class-map LIMIT-CLASS
R1(config-cmap)#match access-group name LIMIT-ACL
R1(config-cmap)#exit
! Configure Policy Map
R1(config)#policy-map LIMIT-POLICY
R1(config-pmap)#class LIMIT-CLASS
R1(config-pmap-c)#police rate 64000 bps
R1(config-pmap-c-police)#class class-default
R1(config-pmap-c)#police rate 512000 bps
R1(config-pmap-c-police)#exit
R1(config-pmap-c)#exit
R1(config-pmap)#exit
! Apply to Control Plane Protection
R1(config)#control-plane host
R1(config-cp-host)#service-policy input LIMIT-POLICY
Aug 4 14:31:39.950: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane host path
! Verify Configuration
R1#show access-lists LIMIT-ACL
Extended IP access list LIMIT-ACL
10 permit udp any any eq snmp (7377 matches)
20 permit udp any any eq 22
R1#show class-map
Class Map match-any class-default (id 0)
Match any
Class Map match-all LIMIT-CLASS (id 1)
Match access-group name LIMIT-ACL
R1#show policy-map control-plane host
Control Plane Host
Service-policy input: LIMIT-POLICY
Class-map: LIMIT-CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name LIMIT-ACL
police:
rate 64000 bps, burst 2000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
rate 512000 bps, burst 16000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
