Tuesday, July 15, 2014

CoPP and CPPr

Recently i just looked into what the control plane is and its purpose. I decided to now look into how to protect it. Here is where CoPP(Control Plane Policing) and CPPr come into play.

 First let's see what these two things are and what they can do for us. CoPP is a way to control and limit access to the entire Control Plane. On the other hand, CPPr is meant to control access to the individual control plane subinterfaces(host, transit and cef-exception).

 Host - Traffic destined for the router itself (management, routing protocols, etc.) 
Transit - Software-switched transit traffic 
CEF exception - Traffic which triggers a CEF exception (ARP, non-IP packets, etc.)

Below, steps to configure CoPP on a router:

 Configure ACL,

 R1(config)#access-list 100 permit tcp any any eq 22
R1(config)#access-list 100 permit tcp any eq 22 any

 Configure Class-Map,

 R1(config)#class-map CM_CLASS_MAP
R1(config-cmap)#match access-group 100
R1(config-cmap)#exit

 Configure Policy-Map,

 R1(config)#policy-map PM_POLICY_MAP
R1(config-pmap)#class
R1(config-pmap)#class CM_CLASS_MAP
R1(config-pmap-c)#police 16000 conform-action transmit exceed-action drop violate-action drop
R1(config-pmap-c-police)#exit
 
Apply Policy-Map to Control-Plane,

R1(config)#control-plane
R1(config-cp)#service
R1(config-cp)#service-policy in
R1(config-cp)#service-policy input PM_POLICY_MAP

*Mar  1 00:06:08.747: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane aggregate path
 
The above command confirms CoPP has been enabled on the entire Control Plane.

Verification commands,

 R1#sh policy-map control-plane
 Control Plane

  Service-policy input: PM_POLICY_MAP

    Class-map: CM_CLASS_MAP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 100
      police:
          cir 16000 bps, bc 1500 bytes, be 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

  R1#sh access-list
Extended IP access list 100
    10 permit tcp any any eq 22
    20 permit tcp any eq 22 any

When configuring CPPr, the main difference is when you apply the policy to any of the above mentioned control plane subinterfaces (command shown below),

 R1(config)#control-plane host
R1(config-cp-host)#service-policy input PM_POLICY_MAP
R1(config-cp-host)#

*Mar  1 00:14:06.227: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane host path

Above command confirms CPPr has been enabled on the host control subinterface.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)