CONTROL Plane Policy

CBAC and Zone Based FW are all DATA Plane policies. Another type of Security Policies is a Control Plane Policy. This is quite similar to Cisco's MQC used for the QoS traffic shaping and policing. You can also use the commands like from MQC to limit (POLICE) the Control Traffic.

You can use STANDARD CLASS-MAPS like in MQC to match PROTOCOL or ACLs (access-group), but you can also use, example, the LOGGING TYPE CLASS-MAPS:
(config)#class-map type logging match-any LOGGING
(config-cmap)#match packets ?
  dropped    Packets dropped by control-plane protection features <-IN ORDER TO VIEW THE CONTROL PLANE
  error      Error packets dropped by control-plane protection features
  permitted  Packets permitted by control-plane protection features

(config)#policy-map POLICE_50KBPS
(config-pmap)#class CONTROL_BW
(config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop

The trick is to APPLY the Policy Map to the CONTROL PLANE:
(config)#control-plane
(config-cp)#service-policy input POLICE_50KBPS

No comments:

Post a Comment

Most Popular Posts