36-30
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 36 Configuring Denial of Service Protection
Configuring CoPP
To configure CoPP, perform this task:
When defining the packet classification criteria, follow these guidelines and restrictions:
• To avoid matching the filtering and policing that are configured in a subsequent class, configure
policing in each class. CoPP does not apply the filtering in a class that does not contain a police
command. A class without a police command matches no traffic.
• The ACLs used for classification are QoS ACLs. QoS ACLs supported are IP standard, extended,
and named.
• These are the only match types supported:
–
ip precedence
–
ip dscp
–
access-group
• Only IP ACLs are supported in hardware.
• MAC-based matching is done in software only.
• You can enter one match command in a single class map only.
• In releases earlier than Release 12.2(18)SXE, the MQC class default is not supported.
When defining the service policy, the police policy-map action is the only supported action.
When applying the service policy to the control plane, the input direction is only supported.
Command Purpose
Step 1
Router(config)# mls qos
Enables MLS QoS globally.
Step 2
Router(config)# ip access-list extended
access-list-name
Router(config-ext-nacl)# {permit | deny}
protocol
source
source-wildcard
destination
destination-wildcard
[precedence
precedence
] [tos
tos
]
[established] [log | log-input] [time-range
time-range-name
] [fragments]
Defines ACLs to match traffic:
• permit sets the conditions under which a
packet passes a named IP access list.
• deny sets the conditions under which a packet
does not pass a named IP access list.
Note You must configure ACLs in most cases to
identify the important or unimportant
traffic.
Step 3
Router(config)# class-map
traffic-class-name
Router(config-cmap)# match {ip precedence}
|{ip dscp} |
access-group
Defines the packet classification criteria. Use the
match statements to identify the traffic associated
with the class.
Step 4
Router(config)# policy-map
service-policy-name
Router(config-pmap)# class
traffic-class-name
Router(config-pmap-c)# police
{
bits-per-second
[
normal-burst-bytes
]
[
maximum-burst-bytes
] [pir
peak-rate-bps
]}
| [conform-action
action
] [exceed-action
action
] [violate-action
action
]
Defines a service policy map. Use the class
traffic-class-name command to associate classes
to the service policy map. Use the police
statements to associate actions to the service
policy map.
Step 5
Router(config)# control-plane
Router(config-cp)#
Enters the control plane configuration mode.
Step 6
Router(config-cp)# service-policy input
service-policy-name
Applies the QoS service policy to the control
plane.
To Next Page
Loading...
Need help?
General
