04-30-2024 09:09 AM - edited 04-30-2024 10:01 AM
Hello,
I'm not sure why SSH is still being passed to the control plane. We have some automation issues we're trying to work out, but i'm trying to incorporate a temporary solution.
The goal here is to limit the amount of SSH traffic. It appears that SSH traffic is causing the CPU to spike to 80-100% quite frequently even with the following CoPP provisioning in place.
What could i have missed? Why does the policy map not show SSH conformed traffic?
Model: C9300-48U
Version: 17.09.03
## show ip access-lists SSH-ACL
Extended IP access list SSH-ACL
10 permit tcp any any eq 22
20 permit tcp any eq 22 any established
## show class-map SSH-Class
Class Map match-any SSH-Class (id 24)
Match access-group name SSH-ACL
## show policy-map control-plane input
Control Plane
Service-policy input: system-cpp-policy
Class-map: SSH-Class (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name SSH-ACL
police:
rate 500 pps, burst 122 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop
# Here is just a quick snapshot
# show processes cpu sorted | exclude 0.00
CPU utilization for five seconds: 62%/3%; one minute: 26%; five minutes: 15%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
617 8285 9170 903 85.59% 8.79% 2.48% 2 SSH Process
#show processes cpu history
88888333335555599999777774444411111 11111
553333388888444444444477777444446666666666777777777722222555
100
90 *****
80 ***** **********
70 ***** **********
60 ***** **********
50 ***** ***************
40 ******************************
30 ******************************
20 ***********************************
10 **********************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
1
9 3 311509 3 1 2599 31 3 3699123 31 919
485597576601103766560836955689075586676781980965690765575899
100 * ** ** *
90 * ** ** ** *
80 * ** ** ** *
70 * ** ** ** *
60 * ** *** *** *
50 * *** *** *** *
40 # * * *#* * *** * * ***# * * *
30 # * * *#* * *## * * **## ** * #
20 # * * ### * **## * * **## ** * #
10 #***#***##*####**#****####**##****#*****####*##**#*******#
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
1 1 1
0999111493191181189811111199111403101191311111111191 11383191 81 1111111
045801047608100009490000119601200510003081111111119090067005096090001001
100 * ** * * ** * * * *
90 **** * * *** ** * * * * * * *
80 **** * * * *** ** * * * * * * *
70 **** * * * *** ** * * * * * * *
60 **** * * * *** ** * * * * * * *
50 **** * * * *** ** * * * * * * *
40 **** *** * * *** ** *** * * * * ** * *
30 **** *** * * *** ** *** * * * * *** * *
20 **** *** * * *** ** *** * * * * *** * *
10 #*##*************##*******##******************************************
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
Solved! Go to Solution.
04-30-2024 11:31 AM
20 permit tcp any eq 22 any established <<- no need establised this is not direction ACL that need ACL to work from one direction
remove the established and check again
MHM
04-30-2024 10:47 AM
what IOS XE Code running ? try to upgrade to 17.3.6 or above.
i used below for testing : i can see SSH traffic hitting the ALC and i can see the effective :
Step 1 : Access list
ip access-list extended SSH
permit tcp any any eq 22
Step 2 : Class Map
class-map match-all CM-SSH
match access-group name SSH
Step 3 : Policy Map
policy-map PM-COPP
class CM-SSH
police 50000 conform-action transmit exceed-action transmit
class class-default
police 12000 conform-action transmit exceed-action transmit
Step 4: Apply the CoPP policy
control-plane
service-policy input PM-COPP
04-30-2024 10:59 AM
Hello,
odd. Can you try if the below works ?
class-map match-any SSH_TRAFFIC
match protocol ssh
!
policy-map SYSTEM-CPP-POLICY
!
class SSH_TRAFFIC
police 8000 1500 3000 conform-action transmit exceed-action drop
!
control-plane
service-policy input SYSTEM-CPP-POLICY
04-30-2024 11:08 AM
Hey Georg,
Yeah, it is a bit odd. I attempted your suggestion.
for some reason, the class map will not associate to the policy map. I'm not sure why.
04-30-2024 11:22 AM - edited 04-30-2024 11:29 AM
sorry I see it Now.
MHM
04-30-2024 11:31 AM
20 permit tcp any eq 22 any established <<- no need establised this is not direction ACL that need ACL to work from one direction
remove the established and check again
MHM
04-30-2024 11:40 AM
Its working now!
I may need to fine tune the exceed traffic.
Class-map: SSH-Class (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name SSH-ACL
police:
rate 8000 bps, burst 1500 bytes
conformed 86622 bytes; actions:
transmit
exceeded 87238 bytes; actions:
drop
conformed 7000 bps, exceeded 8000 bps
04-30-2024 11:43 AM
You are welcome
But can I ask something
This SSH is high when you try access SW or when SW use SSH for some service ?
Thanks
MHM
04-30-2024 11:45 AM - edited 04-30-2024 12:28 PM
SSH traffic is caused by DNAC. We dont quite know why DNAC is creating multiple SSH connections and running a sync so much. Could be bug related.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide