Cisco-COPP-ASR1001: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) (Новая страница: «Категория:Cisco Категория:EEM Категория:Control Plane Policing Категория:CoPP Категория:Port Knocki...») |
Sirmax (обсуждение | вклад) |
||
| Строка 6: | Строка 6: | ||
=Control Plane Policing (CoPP) (на примере ASR1001)= |
=Control Plane Policing (CoPP) (на примере ASR1001)= |
||
| + | |||
| + | <PRE> |
||
| + | control-plane |
||
| + | no service-policy input POLICY_MAP_COPP_INPUT_POLICY |
||
| + | exit |
||
| + | no policy-map POLICY_MAP_COPP_INPUT_POLICY |
||
| + | |||
| + | |||
| + | no ip access-list extended ACCESS_LIST_COPP_TELNET |
||
| + | ip access-list extended ACCESS_LIST_COPP_TELNET |
||
| + | deny tcp any any established |
||
| + | permit tcp any any eq telnet |
||
| + | exit |
||
| + | |||
| + | no ip access-list extended ACCESS_LIST_COPP_SSH |
||
| + | ip access-list extended ACCESS_LIST_COPP_SSH |
||
| + | deny tcp any any established |
||
| + | permit tcp any any eq 22 |
||
| + | exit |
||
| + | |||
| + | no ip access-list extended ACCESS_LIST_COPP_SNMP |
||
| + | ip access-list extended ACCESS_LIST_COPP_SNMP |
||
| + | deny udp 10.72.0.0 0.0.0.255 any eq 161 |
||
| + | permit udp any any eq 161 |
||
| + | exit |
||
| + | |||
| + | no ip access-list extended ACCESS_LIST_COPP_BGP |
||
| + | ip access-list extended ACCESS_LIST_COPP_BGP |
||
| + | deny tcp any any established |
||
| + | deny tcp 172.31.0.100 0.0.0.255 any eq 179 |
||
| + | permit tcp any any eq 179 |
||
| + | exit |
||
| + | |||
| + | no ip access-list extended ACCESS_LIST_COPP_RADIUS |
||
| + | ip access-list extended ACCESS_LIST_COPP_RADIUS |
||
| + | deny udp 172.31.0.0 0.0.0.255 any eq 1812 |
||
| + | deny udp 172.31.0.0 0.0.0.255 any eq 1813 |
||
| + | deny udp 100.100.100.0 0.0.0.255 any eq 1812 |
||
| + | deny udp 100.100.100.0 0.0.0.255 any eq 1813 |
||
| + | permit tcp any any eq 1812 |
||
| + | permit tcp any any eq 1813 |
||
| + | exit |
||
| + | |||
| + | |||
| + | no class-map CLASS_MAP_COPP_TELNET |
||
| + | class-map CLASS_MAP_COPP_TELNET |
||
| + | match access-group name ACCESS_LIST_COPP_TELNET |
||
| + | exit |
||
| + | |||
| + | no class-map CLASS_MAP_COPP_SSH |
||
| + | class-map CLASS_MAP_COPP_SSH |
||
| + | match access-group name ACCESS_LIST_COPP_SSH |
||
| + | exit |
||
| + | |||
| + | no class-map CLASS_MAP_COPP_SNMP |
||
| + | class-map CLASS_MAP_COPP_SNMP |
||
| + | match access-group name ACCESS_LIST_COPP_SNMP |
||
| + | exit |
||
| + | |||
| + | no class-map CLASS_MAP_COPP_BGP |
||
| + | class-map CLASS_MAP_COPP_BGP |
||
| + | match access-group name ACCESS_LIST_COPP_BGP |
||
| + | exit |
||
| + | |||
| + | no class-map CLASS_MAP_COPP_RADIUS |
||
| + | class-map CLASS_MAP_COPP_RADIUS |
||
| + | match access-group name ACCESS_LIST_COPP_RADIUS |
||
| + | exit |
||
| + | |||
| + | |||
| + | |||
| + | no policy-map POLICY_MAP_COPP_INPUT_POLICY |
||
| + | policy-map POLICY_MAP_COPP_INPUT_POLICY |
||
| + | ! Deny telnet |
||
| + | class CLASS_MAP_COPP_TELNET |
||
| + | police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop |
||
| + | exit |
||
| + | exit |
||
| + | </PRE> |
||
| + | ! |
||
| + | <PRE> |
||
| + | ! Deny ssh |
||
| + | class CLASS_MAP_COPP_SSH |
||
| + | police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop |
||
| + | exit |
||
| + | exit |
||
| + | </PRE> |
||
| + | ! Deny SNMP |
||
| + | class CLASS_MAP_COPP_SNMP |
||
| + | police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop |
||
| + | exit |
||
| + | exit |
||
| + | ! |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | ! Deny BGP |
||
| + | class CLASS_MAP_COPP_BGP |
||
| + | police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop |
||
| + | exit |
||
| + | exit |
||
| + | ! |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | ! Deny RADIUS |
||
| + | class CLASS_MAP_COPP_RADIUS |
||
| + | police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop |
||
| + | exit |
||
| + | exit |
||
| + | ! |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | ! Permit other (include LACP) |
||
| + | class class-default |
||
| + | police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit violate-action transmit |
||
| + | exit |
||
| + | exit |
||
| + | exit |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | control-plane |
||
| + | no service-policy input POLICY_MAP_COPP_INPUT_POLICY |
||
| + | service-policy input POLICY_MAP_COPP_INPUT_POLICY |
||
| + | exit |
||
| + | </PRE> |
||
Версия 10:20, 1 июля 2024
Control Plane Policing (CoPP) (на примере ASR1001)
control-plane no service-policy input POLICY_MAP_COPP_INPUT_POLICY exit no policy-map POLICY_MAP_COPP_INPUT_POLICY no ip access-list extended ACCESS_LIST_COPP_TELNET ip access-list extended ACCESS_LIST_COPP_TELNET deny tcp any any established permit tcp any any eq telnet exit no ip access-list extended ACCESS_LIST_COPP_SSH ip access-list extended ACCESS_LIST_COPP_SSH deny tcp any any established permit tcp any any eq 22 exit no ip access-list extended ACCESS_LIST_COPP_SNMP ip access-list extended ACCESS_LIST_COPP_SNMP deny udp 10.72.0.0 0.0.0.255 any eq 161 permit udp any any eq 161 exit no ip access-list extended ACCESS_LIST_COPP_BGP ip access-list extended ACCESS_LIST_COPP_BGP deny tcp any any established deny tcp 172.31.0.100 0.0.0.255 any eq 179 permit tcp any any eq 179 exit no ip access-list extended ACCESS_LIST_COPP_RADIUS ip access-list extended ACCESS_LIST_COPP_RADIUS deny udp 172.31.0.0 0.0.0.255 any eq 1812 deny udp 172.31.0.0 0.0.0.255 any eq 1813 deny udp 100.100.100.0 0.0.0.255 any eq 1812 deny udp 100.100.100.0 0.0.0.255 any eq 1813 permit tcp any any eq 1812 permit tcp any any eq 1813 exit no class-map CLASS_MAP_COPP_TELNET class-map CLASS_MAP_COPP_TELNET match access-group name ACCESS_LIST_COPP_TELNET exit no class-map CLASS_MAP_COPP_SSH class-map CLASS_MAP_COPP_SSH match access-group name ACCESS_LIST_COPP_SSH exit no class-map CLASS_MAP_COPP_SNMP class-map CLASS_MAP_COPP_SNMP match access-group name ACCESS_LIST_COPP_SNMP exit no class-map CLASS_MAP_COPP_BGP class-map CLASS_MAP_COPP_BGP match access-group name ACCESS_LIST_COPP_BGP exit no class-map CLASS_MAP_COPP_RADIUS class-map CLASS_MAP_COPP_RADIUS match access-group name ACCESS_LIST_COPP_RADIUS exit no policy-map POLICY_MAP_COPP_INPUT_POLICY policy-map POLICY_MAP_COPP_INPUT_POLICY ! Deny telnet class CLASS_MAP_COPP_TELNET police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit
!
! Deny ssh class CLASS_MAP_COPP_SSH police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit
! Deny SNMP
class CLASS_MAP_COPP_SNMP police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit
!
! Deny BGP class CLASS_MAP_COPP_BGP police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit !
! Deny RADIUS class CLASS_MAP_COPP_RADIUS police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit !
! Permit other (include LACP) class class-default police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit violate-action transmit exit exit exit
control-plane no service-policy input POLICY_MAP_COPP_INPUT_POLICY service-policy input POLICY_MAP_COPP_INPUT_POLICY exit
