<div>
This looks to be a bug i have iOS 12.4(25) doesn't happen in 12.4(5a)
</div>


This looks to be a bug i have iOS 12.4(25) doesn't happen in 12.4(5a)

<div>
<div class="content wysiwyg-content">
Hi, I am following the following article for control plane policing but am finding it is not actually working:<br />
<a href="https://www.micronicstraining.com/a-real-world-scenario-for-copp/" rel="ugc">https://www.micronicstraining.com/a-real-world-scenario-for-copp/</a><br />
<br />
Specifically i am trying to block fragments from coming to control plane. I have simplified this a bit but find it is not working:<br />
<br />
IP access-list extended BANFRAG<br />
&nbsp; &nbsp; 10 permit icmp any any fragments<br />
Class Map match-all CM_BANFRAG <br />
&nbsp; &nbsp;Match access-group name BANFRAG<br />
Policy Map newCoPP<br />
&nbsp; &nbsp; Class CM_BANFRAG<br />
&nbsp; &nbsp; &nbsp; drop<br />
control-plane<br />
&nbsp;service-policy input newCoPP<br />
<br />
If i send an ICMP packet that is oversize it will break it up and still go through and sh policy-map control-plane shows no hits. If i take that same ACL and apply as access group on the interface of router it will block the oversized icmp packet (as desired) and see acl increment by one. But when applied like above to control plane it is NOT blocking it?
</div>
</div>


Hi, I am following the following article for control plane policing but am finding it is not actually working:
https://www.micronicstraining.com/a-real-world-scenario-for-copp/

Specifically i am trying to block fragments from coming to control plane. I have simplified this a bit but find it is not working:

IP access-list extended BANFRAG
    10 permit icmp any any fragments
Class Map match-all CM_BANFRAG 
   Match access-group name BANFRAG
Policy Map newCoPP
    Class CM_BANFRAG
      drop
control-plane
 service-policy input newCoPP

If i send an ICMP packet that is oversize it will break it up and still go through and sh policy-map control-plane shows no hits. If i take that same ACL and apply as access group on the interface of router it will block the oversized icmp packet (as desired) and see acl increment by one. But when applied like above to control plane it is NOT blocking it?

Control Plane Policing not working on 1841 Router

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

Routers

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Hardware Firewalls

Networking hardware includes the physical devices facilitating the use of a computer network. Typically, networking hardware includes gateways, routers, network bridges, modems, wireless access points, networking cables, line drivers, switches, hubs, and repeaters. But it also includes hybrid network devices such as multilayer switches, protocol converters, bridge routers, proxy servers, firewalls, network address translators, multiplexers, network interface controllers, wireless network interface controllers, ISDN terminal adapters and other related hardware.