Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
61626364656667686970
63
OL-11615-01
Configure each ACL to permit all known protocols in its class that require access to the RP. At this point,
each ACL entry should have both source and destination addresses set to any. In addition, the ACL for
the default class should be configured with a single entry: permit ip any any. This will match traffic not
explicitly permitted by entries in the other ACLs.
After the ACLs have been configured, create a class-map for each class defined in Step 1, including one
for the default class. Then assign each ACL to its corresponding class-map.
Note In this step you should create a separate class-map for the default class, rather than using the
class-default available in some platforms. Creating a separate class-map and assigning a permit
ip any any ACL will allow you to identify traffic not yet classified as part of another class.
Each class map should then be associated with a policy-map that permits all traffic, regardless of
classification. The policy for each class should be set as conform-action transmit exceed-action transmit.
Step 3 Review the identified traffic and adjust the classification.
Ideally, the classification performed in Step 1 identified all required traffic destined to the router.
However, realistically, not all required traffic will be identified prior to deployment and the permit ip
any any entry in the default class ACL will log a number of packet matches. Some form of analysis will
be required to determine the exact nature of the unclassified packets.
Use the show access-lists command to see the entries in the ACLs that are in use, and to identify any
additional traffic sent to the RP. To analyze the unclassified traffic you can use one of the following
techniques:
General ACL classification as described in Characterizing and Tracing Packet Floods Using Cisco
Routers, which is available at the following URL:
http://www.cisco.com/warp/public/707/22.html#topic2
Packet analyzers
When traffic has been properly identified, adjust the class configuration accordingly. Remove the
ACL entries for those protocols that are not used. Add a permit any any entry for each protocol just
identified.
Step 4 Restrict a macro range of source addresses.
Refine the classification ACLs, by only allowing the full range of the allocated CIDR block to be
permitted as the source address. For example, if the network has been allocated 172.68.0.0/16, then
permit source addresses from 172.68.0.0/16 where applicable.
This step provides data points for devices or users from outside the CIDR block that might be accessing
the equipment. An axternal BGP (eBGP) peer will require an exception because the permitted source
addresses for the session will lie outside the CIDR block. This phase might be left on for a few days to
collect data for the next phase of narrowing the ACL entries.
Step 5 Narrow the ACL permit statements to authorized source addresses.
Increasingly limit the source address in the classification ACLs to only permit sources that communicate
with the RP. For example, only known network management stations should be permitted to access the
SNMP ports on a router.
Step 6 Refine CoPP policies by implementing rate limiting.
Use the show policy-map control-plane command to collect data about the actual policies in place.
Analyze the packet count and rate information and develop a rate limiting policy accordingly.