26 September, 2014

Filter ICMP Traffic With Control-Plane

CCNA Security 

Filter ICMP Traffic

 ! Show Version
R1#show version | in IOS
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)

 ! Create Access list for ICMP
R1#configure terminal
R1(config)#access-list 100 permit icmp any any

 ! Create class map witch calls on the ACL
R1(config)#class-map ICMP
R1(config-cmap)#match access-group 100
R1(config-cmap)#exit

 ! Create Policy Map wich calls on the class map
R1(config)#policy-map ICMP-POLICY
R1(config-pmap)#class ICMP

 ! Tell the policy map that if ICMP traffic is seen, that this traffic should be rate limited down to 8Kbps, and anything over that should be droped.
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap-c)#exit

 ! Apply the policy with to the logical "control-plane" with a service-policy command
! We need to go into controle-plane configuration:

 R1(config-pmap)#control-plane ?
% Unrecognized command
! Note: This option is Hide

 R1(config-pmap)#control-plane

 Apply the service policy, so that when any ICMP traffic is being sent TO the router(regardless of physical interface) it will be policed (rate limited).
R1(config-cp)#service-policy input ICMP-POLICY
*Sep 27 01:51:30.047: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane aggregate path
R1(config-cp)#end

 ! To verify it is in place:
R1#show policy-map control-plane
 Control Plane
  Service-policy input: ICMP-POLICY
    Class-map: ICMP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 100
      police:
          cir 8000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

 ! Now to test it !
R3#ping 10.0.0.1 size 700 repeat 10  (Ping to R1)
Type escape sequence to abort.
Sending 10, 700-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!.!!.!!.!
Success rate is 70 percent (7/10), round-trip min/avg/max = 72/81/88 ms

 ! Verify again 
R1#show policy-map control-plane
 Control Plane
  Service-policy input: ICMP-POLICY
    Class-map: ICMP (match-all)
      184 packets, 86976 bytes
      5 minute offered rate 6000 bps, drop rate 1000 bps
      Match: access-group 100
      police:
          cir 8000 bps, bc 1500 bytes
        conformed 152 packets, 64128 bytes; actions:
          transmit
        exceeded 32 packets, 22848 bytes; actions:
          drop
        conformed 4000 bps, exceed 1000 bps
    Class-map: class-default (match-any)
      24 packets, 2924 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
At
Tags:: , , , ,