First I create the access lists that determine what I want to control or have access to. Notice that there are multiple access lists. I define each “function” so I can control the bandwidth of it. Below I have access lists for Routing, Management, Undesirable, and the remaining (DEFAULT access list) traffic.
ip access-list extended ROUTING
remark Allow EIGRP Routing
permit eigrp any 192.168.255.0 0.0.0.3
permit eigrp any host 224.0.0.10
ip access-list extended MANAGEMENT
remark Allow SSH
permit tcp 10.136.3.0 0.0.0.255 10.136.6.0 0.0.0.255 eq 22
permit tcp 10.136.3.0 0.0.0.255 eq 22 10.136.6.0 0.0.0.255 established
remark Allow SNMP
permit udp 10.136.3.0 0.0.0.255 10.136.6.0 0.0.0.255 eq snmp
remark Allow NTP
permit udp 10.136.3.0 0.0.0.255 10.136.6.0 0.0.0.255 eq ntp
remark Allow ICMP
permit icmp any 10.136.6.0 0.0.0.255 echo
permit icmp any 10.136.6.0 0.0.0.255 echo-reply
permit icmp any 10.136.6.0 0.0.0.255 ttl-exceeded
permit icmp any 10.136.6.0 0.0.0.255 packet-too-big
permit icmp any 10.136.6.0 0.0.0.255 port-unreachable
permit icmp any 10.136.6.0 0.0.0.255 unreachable
ip access-list extended UNDESIRABLE
permit icmp any any fragments
permit udp any any fragments
permit tcp any any fragments
permit ip any any fragments
permit udp any any eq 1434
permit tcp any any eq 639 rst
ip access-list extended DEFAULT
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
Next we’ll configure the class map. We match all the ACLs we created above
class-map match-all Catch-All
match access-group name DEFAULT
class-map match-all Management
match access-group name MANAGEMENT
class-map match-all Undesirable
match access-group name UNDESIRABLE
class-map match-all Routing
match access-group name ROUTING
Now we configure a policy map. The policy map matches the class map (which matches an ACL) and then we set what we want each class to do. In this case we will be policing the traffic
policy-map RTR_CoPP
class Undesirable
police 8000 1500 1500 conform-action drop exceed-action drop
class Routing
police 1000000 50000 50000 conform-action transmit exceed-action transmit
class Management
police 100000 20000 20000 conform-action transmit exceed-action drop
class Catch-All
police 50000 5000 5000 conform-action transmit exceed-action drop
class class-default
police 8000 1500 1500 conform-action transmit exceed-action transmit
Finally, apply the policy to the control plane
Router(config)# control-plane
Router(config-cp)# service-policy input RTR_CoPP
Now that we have configured control plane traffic, we have one more step to make sure we can get to our systems when the network is going crazy. We want to make sure that we can enter commands, view logs, etc. To do that we have to configure the system to give us some CPU time.
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
These are rough settings (per Cisco) but should work well as a starting point.