1. Control Plane Security – Possible Threats
Now, in this section, we’ll probably discuss the control plane and the various types of attacks on the control plane, as well as some mitigations such as implementing features such as routing protocol security and control plane policing protections to prevent control plane attacks. So, in terms of the control plane, we already covered some ground in the first few classes. It is a traffic, and it deals with destined traffic; in fact, it is a source from a networking device. Maybe the cost The cost of this route is $200 to connect to four networks, and the router will install the best route with the lowest cost in terms of EHRP or ISPO for any protocol.
Now, by default, the traffic from the router goes through the first path; if that fails, it automatically uses the second path. Now, an attacker, perhaps an attacker adding some router in the lamb, or perhaps you’re connecting to some service folder and advising some interfaces, can actually spoof for your network by adding some router or perhaps a blueback interface with the address. And he can use the same protocol as EHRP and advertise the cost of the foyer network as $10. The router will show that there are three possible routes to this photo network, one of which is 102 hundred and the other is ten. It will automatically choose this as the best route, and all traffic destined for the Foyer network will be routed to the attacker rather than the actual destinations. So there’s actually a way the attacker wants to deny the users from accessing the resources on a specific network. So there’s something possible. So probably to prevent this, we can configure our routers with some kind of authentication where I can tell the router that the routers will only form a neighborship or exchange routes if the password matches.
So we’ll configure some passwords on both routers, and if the password matches, then only the neighbourhood should establish a connection. So probably one kind of attack like routing protocol spoofing or false routing updates Another possibility is that the attacker sends a large number of packages to the CPU in order to disable all three functions: control plane, management plane, and data plane. Because if any attack happens on the control plane, it automatically impacts the management plane as well as the data planes because excessive traffic to any of these, especially the control plane, can actually increase the CPU and also impact the other planes. So here’s another example: Maybe you can give an example. I got a router, and we only allow SSH traffic on this router, and then we go to the VTVL line and configure something like transport input SSH or maybe you configure some ACLs that will drop the tele traffic because I don’t want telnet in my production networks. But there is a possibility that an attacker can send some continuous telegram packets that actually hit the CPU, and then the CPU is going to try to process them and then realise that the VTVL line or the ACL is not actually allowing the telegraphic traffic; it’s going to drop, but the attacker can send some continuous thousands of requests to the router.
And your router is actually dropping the packets and not forwarding them, which is like increasing the CPU utilization and affecting the CPU resources. And most of the CPU—maybe the CPU goes above 80%, 90%, probably—can impact the routing protocol traffic. Let’s say maybe the routing protocols are trying to study the neighbouring ship that’s sending some hollows, so it doesn’t have enough CPU processing power to process this routing protocol traffic because it’s been used mostly by this attacker traffic. So it can impact your control plan and automatically impact your data plane and other planes as well. Or another example is that the attacker is actually sending some continuous item request, and maybe this user is actually not allowed, but still it is going to process with some unreachable messages saying that sorry, I cannot send these messages because I don’t know where it is. Or maybe there is an ACL blocking that traffic. So this is some of the unnecessary internet traffic, such as the router sending some ICMP reply messages. As I just gave an example, attackers are trying to send some telegraphic because my router has just configured HTTP, HTTPS, sorry, HTTPS, and et cetera. Perhaps the attacker is initiating HTTP or telegraphic traffic that is not permitted by default but is still hitting the CPU.
Other possibilities include attackers spoofing with a valid source address. This is similar to saying you have a router, and in my area, I use the 182 1681 dot network, and perhaps there is an attacker somewhere trying to spoof with the actual source address with this network. So it’ll send continuous traffic to my router, hitting the CPU packet from the source on my one dot network and possibly sending some destinations or whatever his destination is like sending to the router, and the router will try to process and forward the traffic to my one dot network. So this router actually thinks the packets are initiated from this network, so it’s trying to send them out back to this one, which increases the CPU as well as unnecessary packet utilization on the network. So this can be prevented. Again, we can configure some kind of inbound filtering, some control plane policing and features, or control plane protection features. Based on those features, we can actually tell the router not to accept any packets from the CPU. So these are some of the positive threats we can generally see on the control plane. And to overcome this, we have different solutions like routing and protocol authentication. We’ll see that in the next few videos.
2. Routing Protocol Authentication
Routing protocol authentication The rotting protocol authentication is done to prevent some rotting false routing updates by an attacker, like in the previous video. I discussed that. Assume we got the outer one. Use four of the 40-dot network to get to this router. There are two possible routes, and the cost is 100 here, maybe 200 here, and by default, it selects the best route based on the shortest distance or the least cost. But there is a possibility that an attacker adds a network with a four-door configuration and may try to advertise some information with the cost of them, which is better than the first two and maybe the auto one. All the traffic destined to folder network may send it on this side where the attacker intention is to introduce some Dos attacks during the service, where the router one will not be able to forward the traffic to the actual destinations.
So probably to prevent this, we can configure our routers to authenticate, which means the router one and the router two can establish a neighbour shift between them. Only some passwords and keys will be configured on both sides, and if the password matches on both sides, only they will form the neighbors. Then only they will exchange the routes. In general, the routing protocols are where the router is actually authenticating the update (the source update), like when the router sends an update or EHRP hello messages. The router is going to confirm whether the password matches or not. And based on that, it will reply to the hellos. If the passwords do not match, it will not reply to the hellos; the neighbor ship will not form; they won’t exchange the routes; and they won’t build the routing tables. As a result, this is to prevent any unauthorized or spoof router manager. So almost all the routing protocols in two-dash networks support authentication, like EHRP R IP version two and BGP OSP of ISS RP version one, do not support.
So it’s a method to prevent any spoofed routers or any spoofed updates. But again, the routing protocol authentication will not prevent any malicious traffic or malicious updates from coming from the neighbor. So it’s not going to detect any kind of malicious traffic in general. And authentication can be configured either in clear text or in an MD file. Now the basic difference between these two is that, like in simple password authentication, the router is going to send out the password. Let’s say the password I’m using is “Cisco One, Two, Three” on both devices. Of course, the password has to match on both sites, and this password is being sent in clear text. Now that we have the simple password, the passport sends a packet with the key, and the process is not secure because it’s like a clear-text exchange of the passwords. If the attacker captures your traffic, routes broad traffic, and can see the password, he can easily spoof and configure his routers with this password and exchange the routes. As a result, most networks do not prefer to use simple password authentication. We use something called the MDFI hashing method, where the keys are actually the keys; whatever we are going to use, they are not exchanged in clear text. Instead, they will be exchanged for hash values. So typically, we call them message digests or hash values, where the key ID and the password are exchanged.
So this message that’s sent instead of the keys is like a secret code created by using some algorithms. And this process is actually a more secure method of doing the authentication. As a result, almost all protocols, such as OSPO proportionate to EHRP, support MDP and authentications. Now, configuration-wise, it’s a simple configuration in terms of any protocol, like if you’re using the rip protocol, let’s say. As a result, the rip protocol is used for authentication. We need to configure something like a keychain. Now, keychain is like we need to create a keychain and give it a name, like CCMP here. And then I can say the key number and the key string. I can configure some key numbers and the key string inside the keychain. Again, you can see the key ID; I’m using one, and the password is Cisco, one to three, let’s say, and the name of the keychain is CCMD. Now, on both routers, we need to make sure that we have the same configuration. Now the keychain no need to match, but the key number and the key string must match on both the sites. Now, within this keychain, we can configure multiple keys, such as creating another key, say, key two, with a different string, or a passport, say, NY one to three. And I can probably use this key number two to connect to another router, and I can use a key two and the password of NVA 1, 2, 3, configured between routers one and three.
So I can use key two between the router one and the router three, and I can use key one between the router one and the router two. So we can have different keys on different routers configured. So the keychain can be anything, but make sure that the key number and key string, which must match on both routers, match on any one key number and key string, and then authenticate with whichever interface is facing your router. Probably we need to enable authentication by using, let’s say, a one-by-zero interface IPR authentication mode. Now, RFP supports both MD-PHI and clear text. As a result, it is preferable to use MD 5. As a result, we use the MD-phi option. If you want to use clear text, we can say just text, and then we need to apply this keychain under the interface. I’m saying IPR authentication keychain, and the name of the keychain is, let’s say, CCNP. Once you apply this, most likely both routers must have the same key number and the key string must match; if they don’t, probably if you want to do some kind of troubleshooting, like in the workbook, I’ve documented some debug outputs where I misconfigured the passports just to verify the back end outputs.
Of course, you can use clear IP route and showkeychain to see the keychain key number in the keystone. So likewise, the same configuration goes for EHRP. In EHRP, too, we use only MD files. In EHRP, the key number and key string must be configured, such as the keychain name can be the CCNP key number and the key string, let’s go one to three. And, as with the Rip, we can configure multiple keys within this keychain. So make sure that your key number and key string match on both sites. And then we need to apply this under the interface. In the EHR rumba file, the command is most likely I Authentication mode. So this command enables authentication, which means once you add this command, it becomes mandatory for you to configure authentication, and the keychain has to match—sorry, not the keychain key string—and the password has to match. And then we need to apply this keychain under the interface.
So there’s no much difference between the configuration offer authentication and Rip authentication because in both the scenarios we’ll be using a keychain and the password and those parameters has to match. You can probably verify these configurations in the workbook. If you want to see the messages in the back end, you can use some debug messages, such as debug IP packets. So in the workbook, I have documented some outputs to verify the same. You can manually configure the keys to just verify the process in general. So that’s something you can do, but make sure that the key number and the key string have to match on both routers for successful authentication and to form the neighborhood, and mostly the neighbourhood will not form if the authentication mismatches. So it’s a kind of troubleshooting. Let’s say that in the production networks, if you enable authentication, make sure that the authentication is successfully configured and that it is correct on both ends. So the key number has to match. So the next step is an authentication OSP.
Again, OSPF also supports clear text and MD files. When you enable some debug messages, you will see authentication types as type zero, type one, or type two. So if you see “type zero,” it means we are not enabling authentication without any authentication. It’s a normal, simple OSP of configurations. So type one is clear text, and if you’re reusing type two, it’s just your MDF or Shawalgorithms, such as Shaw, which is used in the Shaw method and is now supported in some new iOS versions. Now, in terms of configuration, we must configure directly under the interface. So, if you’re using a simple password authentication, we’ll need to access the interface, whichever interface you want to enable authentication for. So we just say IPO strip authentication, and then when you configure the key, make sure that the key matches on both sides, so the same configuration goes on router one and router two. So it’s essentially the same as copying and pasting the configuration onto both routers. Again, practically, a simple password authentication is not a preferable method because the password is exchanged in clear text and is not a secure process. So it’s always preferable to go with MD5 file authentication.
Now in MDFO also, we need to get into the interface on both interfaces. We need to enable the authentication by saying “IPOSP authentication” and “Missile digest,” and then to apply the key, we need to tell the key number, the message digest key, and the password, which has to match on both sites. We can now use some tools to debug IP OSPF packets for verification. OSPF packets and, I believe, debug messages to observe the back end process You can verify, and you can use some clearIP OSPF process commands to clear the neighborship and see the process once again, and try to misconfigure the passports on both sides to just see the neighborship where it actually stops. That will be useful in troubleshooting because you may end up doing some misconfigurations and the neighborship does not appear. Probably, if you verify these outputs, that will help you with troubleshooting.
3. Control Plane Policing – CoPP
The next thing we’ll see is the NTP configuration. Now, basically, NTP configuration is very simple. In this case, I’m using three routers: router 1, router 2, and router 3, and I want to make sure that router 2 should be my NTP server. So whichever device you select as a server, we need to select the NTP master command, where I’m going to tell that this device is the server, and these two represent the startup value. If I don’t define the iOS, PID produces the startup value of seven, so we can use any number other than zero and one. Let’s say I’m giving the startup value of two here. Now I’m going to configure the other devices, routers one and two, as NTP clients. Now these two devices are NDP clients. Now the clients need to refer to the server like here, where I’m using the loopback address out of 12001. The loopback of the router, which is a looping zero, should be the server, and we need to make sure that we have IP reachability to this loopback because it uses unicast on UDP port number 173.
So, two things you must ensure are that the NTP server’s loopback address is reachable via unicast. And the next thing is, if we have an ACL configured in the transit network, make sure that it is allowing UDP 123 traffic or NTP traffic. So in my case, I don’t have any ACLs, and for a reachable device, I’m going to configure the OSPO and advertise all the interfaces to provide the reachable device with just one simple command: NTP server 120. So again, let’s go and configure the basic step here. I have three routers, all of which are running OSPF; I didn’t configure OSPF, so I’ll just set it up here. So I’ll say “zero, zero, zero” for everything, and I do have the initial configurations, like IP addressing, already done, so “zero, zero” means it has all the things not recommended in the production network, but here just for testing purposes, we’ll provide discoveries to OSPF. When you’re finished with OSPF, the neighbours should show IP, the OSPF neighbours should be up, and I should be able to see the routes. The next step is to set up the router as my NTP server.
So we need to select the NTP master, and we can start with any of the startup values before it takes seven. So I’m going to use two startup values here on the router two, and the router one will be configured as NDP’s clients. And I need to refer to the server to ensure that you have reachability to the server so that the clients can reach the server for the same commands. I also need to add the router three. So, on the router three, I’ll simply copy and paste. Of course, I’ll also check the reachability to confirm that. Now for verification, we need to use some commands like “show NDP status” and “show NTP associations.” Now, the first thing I’ll do is show the clock to see what time it is. Now it’s based on the current time, and I should expect the same clock on the other side by default because, based on the IBAC, the clock may differ slightly.
So, assuming it’s October 20, I’m going to change the time on the server to October 20. and here it is October 15 and October 15 here. So the client should probably contact the server and update the time to October 20 here. That’s what I’m expecting. So, going on the server, I’ll change the time to, say, 10:00 a.m., and the month to, say, October 20, 2017. So if you say, “Show clock,” you’ll see the time changes here. And I should also notice that the times should match. It takes some time. Because now one thing we need toknow in the meantime, we’ll see. For example, the time on the client is updated incrementally, which means it is not completed once it goes on incremental. and the time it is going to take to synchronise between the client and the server based on the time difference. Like here, the time difference is just five days. Probably not much time—I’m thinking here while testing it out. But probably, if you have a month or years’ difference between the current time on the client and the time on the server, that will take more time to synchronize. So you just need to wait some time for synchronization. And always, the client will have a startup value of three because on the server, we are given a start value of two. So the client will always have plus-one startup values.
So I’m expecting the time to synchronize, so it may take some more time. In the meantime, let’s see some other commands, like “show NDP associations.” When I say show NDP associations, it says the reference clock is 120, so it’s not completely synchronised here. So I’m expecting the synchronization. So you can see I just paused for a few minutes, and probably you can see the time is being synchronised here. If there’s a show clock, you can see the time change here as October 20 on the client, and I should see the same thing on the router 3 as well. As a result, if there is a show clock, you can see that the time is synchronized. I can also use some other commands, like show NTP associations, which shows you the reference, the server, and the IP address.
This is actually the local loopback address stratavalue of the server, which is two here. So basically, these are the options here. Now, additionally, we can also configure something like authentication. Authentication is optional here, but it is recommended. So, most likely, we can have the company improve security by authenticating the NTP service, which means that if routertwo claims to be an NTP server, the client will authenticate the NTP server and verify the configured password. If the password matches, only the client will update the time because the network is easily spoofable; an attacker can pose as an entrepreneur server and provide you with incorrect time information. And based on that, maybe most of the applications will not work, or maybe some regional signatures or some ACLs will not work if you don’t have the correct time on the networking devices. So it’s always recommended to enable NTP authentication.
So to enable NTP authentication, we need to add this configuration. Additionally, like on the client side, we just did this configuration without authentication. But if you want to enable authentication, you need to add some commands like NTP authenticate, and then we need to configure some keys and some passwords, and then we have to tell that key it should be trusted. And then, while you are defining, we need to specify that key along with the server. And this is something we have to do on the client end (R1) and on the server (R3), where we need to enable authentication. The same three commands, the first three commands, whatever we have enabled for the same three commands, we need to add. Of course, there is one more command already configured on the server, and that is NTP mastercard mapping. If you want to enable authentication, you must make the following changes on the server and in the clients. As a result, it is always recommended to prevent any unauthorised time servers. Again, most of the time we don’t use any external clocks because external clocks can be hacked and the time can be changed.
4. Class-Map – Policy Map – Hierarchy
Now, configuration-wise, for the control plane policing, we will be doing the configuration by using some kind of class map, or policy map, in general. So, if you’re familiar with quality of service options, it’s a type of configuration used in quality of service, or as we call it in ASA Firewalls, a “model policy framework” type of thing. Although we use this configuration in zone-based firewall features, we’ll talk about it now.
So we don’t cover this; we’ll be seeing this option, these options, and also control plane policing in general. Also, we’ll see similar kinds of configurations. So, most likely, in this video, I’ll show you how this configuration works, i.e., what kind of hierarchy we use to configure these features in general, because we’ll see a similar kind of hierarchy in some other implementations as well. So we don’t cover quality of service, but it’s a kind of quality of service feature in VYP networks. However, the other three features we use here may be used in other implementations as well. Now, here are the configuration-wise details. We will use some sort of policy map and apply that policy map service policy by employing some sort of service policy. What we’ll do here is use something similar to classmaps. Classmaps are used to match the traffic.
Let’s say you want to implement some kind of control print policing or EHRP traffic policing. So we need to match this EHRP traffic. So maybe you want to match from any source to a destination, or we may want to match from a selected source to selected destinations. As an example, suppose the source came from the Tender Network. So we need to match the traffic, and we do that by using classmaps and the class maps. We need to write a class map, something like “classmapsum name,” and then we say “match protocol EHRP.” When you define the match protocol EHRP, it will only match traffic that matches the EHRP.
By using the match any option, we can also say match protocol OSPF. We can also match the BGP protocol if it matches any other protocol we can write down. So the class maps allow you to match specific traffic. It can be any traffic, like if you’re using some kind of quality of service option or any other options you want to match FTP traffic with, or HTTP traffic with, or maybe DFTP traffic with, or anything else it can be. So if you want to match a specific source and destination, then we can write an ACL, and we can refer to that ACL inside the class map. So class maps tell you what traffic you want to match, and the next thing we do is use policy maps. Now the policy maps tell us what to do with that particular traffic and what action we want to take. So we have various actions to take, such as saying “hello,” “passing,” or simply dropping that particular traffic. You want to do some kind of policing; you want to do some kind of rate-limiting in the quality of service. We have more options. In zone-based firewalls, we use some other options, like Inspect. Inspected is like saying hello. Traffic, particularly written traffic, should be permitted. The number of packets sent per second is referred to as policing. You want to allow something like that. “Pass” means simply “hello.” Dropping means not allowing the particular traffic. So like that, we have different sets of actions we can take.
So the route map is going to tell you what to do with that particular traffic. And then, finally, we need to apply this policy map under the interface. So if you’re using some kind of quality of service, we do it on the interface. Perhaps we should use what traffic from which interface to which interface in the zone-based firewall. In the case of control plane policing, we probably need to tell the rate limit how many packets you want to allow on the control plane. So this hierarchy is actually like: we create different maps that match different traffic, and then we refer to these maps inside the policy map and tell you what action you want to take. You want to do some marking, and these options vary in terms of service quality. We use rate limiting, just like in control plan policing, to determine how many packets you want to allow. In other scenarios, like zone-based firefighting, we use other options like inspect. Now, these options will vary depending on the type of configuration you choose or your specific requirements. And then finally, we’ll apply it to the interface. We can use it on the physical interface if you use some kind of quality of service, or on zone-based firewalls. In the case of control plane policing, however, we will apply it on the control plane, within the control plane interface and sub interface, and then we will apply this policy. So this is a standard hierarchy, which we use for all configurations.
5. CoPP – Configuration Examples
Now the next thing we’ll see is some control plane policing configuration. Example here: I’m going to use a simple task to match my control plane traffic light. My requirement is that I’m going to implement control plane policing on this router. So I’m saying it’s connecting on the one-dot network, and maybe this router is configured with EHRP, and it produces no more than 200 packets per second, let’s say. So again, before you implement control-print policing, you need to know the exact statistics of your network. If your network is actually stable, you need to collect some statistics, like what kind of traffic you receive and how many packets you actually receive on that.
And if your network is growing, you actually also need to keep changing the statistics, because if your network is growing and maybe you are receiving 400 packets per second in the future on the control plane from all your neighbors, I just have one neighbor here. Of course, you may add a few new neighbours here, and you may receive some more packets in the future. So that is one of the actual issues here. You need to have some real-time statistics about your network. It requires some kind of testing, and the network does not grow in terms of control plane requirements, so if it is stable, that’s good. But for growing networks, you need to make sure that you adjust these parameters in general. So at this point in time, I’m going to use control plane policing here, where it produces no more than 200 packets per second and all other traffic should not exceed more than 50 packets per second. So the first thing is that we need to create a classmap. So inside the class map, we are going to match the particular traffic. So the first thing I’ll do is quickly configure the EHRP just for touching purposes. I’ll say router EHRP 100, and then I’ll say no auto summary; simply configure zero, zero, zero to authorise everything, so it’s not recommended in the production network. But at this point of time I just want to advertise EHRP on all the interfaces. So under router two as well, inside the configuration mode, I’m going to configure EHRP.
So I should expect the neighbor’s ship. If I say “show IP EHRP neighbors,” I’m expecting some EHRP traffic on the interface. So the first thing is that we are going to create a class map, and in that class map, I’m going to match my EHRP traffic. So in my case, let’s say this router is receiving traffic from the One Dot Network. And maybe you have submitted configurations for all one-dot networks. or you want to match a specific source. Then we can write an ACL. And this ACL is going to tell if the traffic is coming from this source and going to any destination, which means that’s my router and it is receiving EHRP packets, or you can write it the other way around: it might be coming from any source if it is coming on the one-dot network, which means on this interface. And then I want to match the EHRP traffic from selectedsource, which I’ll use inside the calls in the class map that say that match this ACL. This ACL I’m going to match with a command called match access group. So configuration-wise, you don’t need to memorise these commands. So the first step, you need to know how to write the ACLs.So I’m going to say “IP access list extended” and I’m going to match my EHRP packets. I can use a name like EHRP packets, and then I’ll say allow EHRP protocol from a specific source to any destination. And then all the configuration starts with class mapping. So we can say “control print policing” or “class.” I’ll just try to use the same names. You can use any name in general. And then I need to say “match.”
We can actually say match protocol EHRP, or we can say match any protocol in the list, such as FTP and TFTP, or any of the other options. But at this point in time, I want to match the ACL. So if you want to match the ACL, you need to say “match access group” and the name of the ACL. So for the name of the ACL, I have used HRPpackets, so I need to say match access group. If I’m using name in the ACL, I need to say name and then exit. And the next thing is that we need to create a policy map. Now, this policy map is going to tell you what action you want to take. Now, in my scenario, I want to match this class map inside the policy map, and then I’m going to tell that police rate because I want to do rate limiting. So if you want to do rate limiting, we use the “police rate” option. If you want to just drop the packets, we can also drop them before I actually hit the CPU, like if I want to match my telenet traffic, so we can write some ACLs to match the tele traffic, and then I can simply use the “drop” option here instead of using the “police rate” option. So in my case, I’m going to say 200 packets per second.
Confirm action. Confirm action is like if the packets are coming within 200 packets per second, whatever the limit I have given within that limit, I’m saying confirm action; transmit means allow the traffic to go; and exit action is like if it exceeds 200 packets per second, what is the action I want to take? So, I’m going to say drop, don’t tell anything faster than 200 packets per second. As a result, we must instruct confirm action to allow and exit action if it is less than 200 packets per second. And then we need to tell what happens if other traffic hits. I want to limit other traffic to 50 packets per second, so I’m going to apply rate limiting to other traffic as well. should not exceed more than 50 packets per second. And ELO and exceeding should be topped within this 15 packets per second. Finally, we must apply this policy map under the control plane. The control plane option We need to apply.
So, if you go and apply the same thing, we need to say policy map. We can use any name. So I’m going to say “cop policy,” and then I need to match my class map. So the class map name So I just need to say, “What is my class map name?” The class map—I need to say class. And the name of the class map is this one. And then we need to say that we have a lot of options here. Priorities can be viewed in the same way that police officers can. Also, priority is generally used in quality of service, so most of these options are used in quality of service. We can do bandwidth reservations, but at this point in time, I want to police because I don’t want to drop here, so I want to do policing. Now, policing is nothing but rate limiting, so I’m going to say police rate. So, what is the rate value in packets per second? Or we can define the percentage in general, like we do it for bandwidth reservations in general, in terms of quality of service. So here we need to tell the police that the rate is going to be 200 packets per second, so I’m going to say 200. So it has to be packets per second. Then we must notify the confirmation if it is within the next 200 seconds. What I want to do is confirm action. What do you want to do? You want to drop, but here I want to transmit, so I’m going to say transmit, and then we use the exit action. So exit action is like, what do you want to do with exit action? Just drop it, and then I need to exit this class map, and the next thing is that I’m going to match the class default. Now, class default is going to match all the other traffic just like permit any in the ACL; any other traffic that is not defined matches in this category. And then here also I want to implement the police rate, but the only difference is that I want to change the limit to 50 packets per second for any other traffic, and then finally we need to apply this inside the control plane. It is now dependent on the iOS versions. In some iOS versions, I think there is an option to turn Control Plane host in. In the MYOS version, I can apply directly inside the control plane.
So we don’t apply it to a specific interface here because Control Pin Policing applies to all interfaces from any inbound direction; it’s always inbound here because we want to remit how many packets you want to receive on the Control Plane and then we need to apply the Control Plane policy. So if I use the same name, I need to see what the name is that I have used here because if I try to implement a different name, it’s not going to work. So we can use some different options. like ShowrunClassmap I can figure out what the class map is by using the shown class map. Showrun Policy Map because I just want to confirm my name before applying. So we’ll say “Control Plane,” and then we’ll say “Service Policy Inbound,” and the name of the Control Plan is “so I’m getting an error message here.” Now again, depending upon iOS versions, like if you get back here, when I was trying to configure the policy map in general, it was giving me the message that “the packets per second are not allowed on the Control Plane interface because it depends upon the iOS version.” Sometimes you cannot allow it based on the packets per second.
So I just changed the configuration a little bit because I’m using a 15-dot iOS version and this feature, this package per second, is not allowed in some iOS versions. However, I believe that when I was documenting the workbook, I was using iOS version 12.4, so you could try that. So I just changed my policy map slightly where I have the same policing configuration but this time I’m using 8000.This is actually bit per second, how many bits per second you want to allow for EHR traffic if it is received, as well as other traffic; I’m allowing 8000 bits per second. So there are different statistics we can use, like packets per second or bits per second, or these kinds of options we can use to match. But again, you need to have clear statistics of how many packets are actually coming and matching that particular protocol. So in this iOS version, I cannot configure the control plane packets per second. Engine rob, so we can use “show policy map control plane” for verification; I believe control plane is all the option that works in this IBM version, so I can see the default matches: how many packets are actually matching how many bytes of information; the policing: how many rate how many confirm packets have been sent; and if any packages are getting dropped, how many are actually dropped; and any other traffic that matches the class map. So trying.
