取消
显示结果 
搜索替代 
您的意思是: 
cancel
7946
查看次数
48
有帮助
5
回复

关于4451设备思科18999设备漏洞问题

zhangjijun
Level 1
Level 1
思科网站看到关于IOS-XE设备,show udp查看到18999端口监听,通过policy-map配置进行丢弃报文的配置。
access-list 199 permit udp any any eq 18999
class-map undesirable-udp
match access-group 199
exit
policy-map drop-udp
class undesirable-udp
drop
exit
exit
control-plane
service-policy input drop-udp
但是4451设备上面输入policy-map drop-udp, class undesirable-udp,输入drop的时候,没有这个命令,请问应该如何配置呢?
1 个已接受解答

已接受的解答

junnyang
Cisco Employee
Cisco Employee
On platforms that do not support the drop keyword within the Policy Map, customers may consider utilizing a policy similar to the following as an alternative:
! -- ACL for CoPP Undesirable UDP class-map
! -- Ignore fragments to prevent them from being misclassified by the policy
access-list 199 deny ip any any fragments
! -- Classify traffic destined to UDP Port 18999 so that we can drop it prior to being processed
access-list 199 permit udp any any eq 18999
! -- CoPP Undesireable UDP class-map
class-map match-all undesireable-udp
match access-group 199
! -- Undesireable UDP Policy Map - Drop on Police Rate
policy-map drop-udp
class undesireable-udp
police rate 8000
conform-action drop
exceed-action drop
violate-action drop
! -- Apply Undesireable UDP policy Map
control-plane
service-policy input drop-udp
If the Adaptive QoS for DMVPN feature is later configured, the device must be upgraded to an unaffected release of Cisco IOS Software or Cisco IOS XE Software and the CoPP policy must be removed.
Detail information:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf73881

在原帖中查看解决方案

5 条回复5

junnyang
Cisco Employee
Cisco Employee
On platforms that do not support the drop keyword within the Policy Map, customers may consider utilizing a policy similar to the following as an alternative:
! -- ACL for CoPP Undesirable UDP class-map
! -- Ignore fragments to prevent them from being misclassified by the policy
access-list 199 deny ip any any fragments
! -- Classify traffic destined to UDP Port 18999 so that we can drop it prior to being processed
access-list 199 permit udp any any eq 18999
! -- CoPP Undesireable UDP class-map
class-map match-all undesireable-udp
match access-group 199
! -- Undesireable UDP Policy Map - Drop on Police Rate
policy-map drop-udp
class undesireable-udp
police rate 8000
conform-action drop
exceed-action drop
violate-action drop
! -- Apply Undesireable UDP policy Map
control-plane
service-policy input drop-udp
If the Adaptive QoS for DMVPN feature is later configured, the device must be upgraded to an unaffected release of Cisco IOS Software or Cisco IOS XE Software and the CoPP policy must be removed.
Detail information:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf73881

13nash
Level 8
Level 8
查找命令手册

XuLei18879
Level 1
Level 1
policy-map drop-udp,这个drop-udp是policy-map的名字,可以随便取一个你喜欢的。。。所以你不会在按?的时候看到它。

zhangjijun
Level 1
Level 1
lastbaba 发表于 2018-4-13 18:10
policy-map drop-udp,这个drop-udp是policy-map的名字,可以随便取一个你喜欢的。。。所以你不会在按?的 ...

我真的这个drop-udp 是随便起的一个名字,我起了这个名字,里面配置的时候,没有drop 这个命令。

Rockyw
Spotlight
Spotlight
看来这个问题已经解决了
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接