Deploying Control Plane Policing

Here’s a simple example of control plane policing. I’ll try to deny telnet access using this simple topology consisting of a router and a host. Here’ s the topology:

Topology

Before deploying CoPP, let us verify if the host can telnet into R1.

verify_telnet

Sure we can. So let us try to deny telnet access using control plane policing.

1. First define an access-list that allows the telnet traffic into the router before it is denied using CoPP

R1(config)#ip access-list extended TELNET
R1(config-ext-nacl)#permit tcp any any eq telnet
R1(config-ext-nacl)#exit
R1(config)#

Step 1

2. Create a class-map that matches the required traffic

R1(config)#class-map match-all TELNET_CLASS
R1(config-cmap)#match access-group name TELNET
R1(config-cmap)#exit

Step 2

3. Now create a policy-map that drops, if the traffic matches TELNET_CLASS

R1(config)#policy-map TELNET_POLICY
R1(config-pmap)#class TELNET_CLASS
R1(config-pmap-c)#drop
R1(config-pmap-c)#exit
R1(config-pmap)#exit
R1(config)#

Step 3

4. Finally enter the control-plane configuration mode and apply the policy-map

R1(config)#control-plane
R1(config-cp)#service-policy input TELNET_POLICY
R1(config-cp)#exit

Step 4

Verify if telnet access is being denied and check the same on the router

Verification

Verification - 2

Download running configuration of router

 

 

Add a Comment

Your email address will not be published. Required fields are marked *