The Bit-Bucket > CCIE > Topic Notes > Infrastructure Security > Control Plane Policing Topic Notes

Control Plane Policing Topic Notes

Control Plane Policing

CoPP

  • Used to protect CPU for Denial of Service attacks
  • Limits access to the entire control plane as an aggregate as opposed to separate sub-interfaces like CPPr
  • Configured using MQC (Modular Quality of Service):
    • Access List
    • Class Map
    • Policy Map
    • Service Policy
  • Applied on the control-plane interface
  • Doesn’t allow the use of:
    • NBAR (Network Based Application Recognition)
    • Input queueing

 

Access Lists

Access Lists
  •  Defines interesting traffic to control
  • Can be standard ACL or Extended ACL
  • Example:
    • Match all traffic except from trusted host 10.1.1.1 using SSH
      • Commands:
        • (config)#access-list 100 deny tcp host 10.1.1.1 any eq ssh
        • (config)#access-list 100 permit ip any any

 

[_/su_spoiler]

Class Map

Class Map
  •  Matches interesting traffic based on ACL
  • Can match on  any configured type or all configured types
  • Example:
    • Match traffic based on access-list 100 or access-list 101
      • Commands:
        • (config)#class-map match-any traffic-police
        • (config-cmap)#match access-group 100
        • (config-cmap)#match access-group 101

 

[_/su_spoiler]

Policy Map

Policy Map
  •  Binds different class-maps to actions
  • Example:
    • On class-map traffic-police, police down to 8kbps and on class-map traffic-drop, drop all the traffic
      • Commands:
        • (config)#policy-map CPP_POLICY
        • (config-pmap)#class traffic-police
        • (config-pmap-c)#police 8000
        • (config-pmap-c)#exit
        • (config-pmap)#class traffic-block
        • (config-pmap-c)#drop

 

[_/su_spoiler]

Service Policy

Service Policy
  •  Applies the Policy-map to the control-plane interface
  • Example:
    • Commands:
      • (config)#control-plane
      • (config-cp)#service-policy input CPP_POLICY

 

[_/su_spoiler]

Control Plane Protection

CPPr

  • Limited to IPv4 input only
  • Allows the control of individual control-plane sub-interfaces
    • Control-plane host sub-interface
      • Handles traffic destined for the devices interfaces
        • Loopback or physical interfaces
        • Traffic types include:
          • Management traffic
          • Tunnel termination traffic
          • Routing protocols
    • Control-plane transit sub-interface
      • Handles software switched traffic
        • Traffic traversing the device and not directly to the device
        • Traffic can include:
          • Non-terminating tunnel traffic
    • Control-plane cef-exception sub-interface
      • Handles all non-IP traffic
        • ARP, CDP, L2 Keepalives

 

  • Configured using MQC (Modular Quality of Service):
    • Doesn’t  support ACLs to match traffic on
    • Class Map
    • Policy Map
    • Service Policy

 

 

CPPr Method: Queue Thresholding

Queue Thresholding
  • Limits the number of packets a protocol can have at process-level
  • Prevents input queue being overwhelmed by a protocol
  • Can only be applied to Host sub-interface
  • Protocol matching criteria:
    • BGP
    • DNS
    • FTP
    • HTTP
    • IGMP
    • SNMP
    • SSH
    • SYSLOG
    • TELNET
    • TFTP
    • Host protocols - All open ports not specifically matching or configured

 

[_/su_spoiler]

CPPr Method: Port Filtering

Port Filtering
  • Provides an method of early dropping of packets directed towards non-listening TCP/UDP ports
  • Can only be applied to the Host sub-interface
  • Maintains a database of all open TCP/UDP ports on device
  • Can filter also on opened or application ports e.g. SNMP
  • Match Criteria:
    • TCP port
    • UDP port
    • Manual port
    • Closed Ports - all closed ports on the device

 

[_/su_spoiler]

Class Map

Class Map
  • Match interesting traffic based on NBAR to queue traffic to the control-plane
  • Match interesting traffic based on port to filter traffic going to the control-plane
  • Example:
    • Queue Thresholding Class Map
      • Commands:
        • (config)#class-map type queue-threshold match-any traffic-management
        • (config-cmap)#match protocol ssh
        • (config-cmap)#match protocol telnet
    • Port Filter Class Map
      • Commands:
        • (config)#class-map type port-filter match-any traffic-closed
        • (config-cmap)#match closed-ports

 

[_/su_spoiler]

Policy Map

Policy Map
  •  Binds different class-maps to actions
  • Example:
    • Queue Thresholding Policy Map
      • Commands:
        • (config)#policy-map type queue-threshold QUEUE_POLICY
        • (config-pmap)#class traffic-management
        • (config-pmap-c)#queue-limit <0-255>
    • Port Filter Policy Map
      • Commands:
        • (config)#policy-map type port-filter FILTER_POLICY
        • (config-pmap)#class traffic-closed
        • (config-pmap-c)#drop

 

[_/su_spoiler]

Service Policy

Service Policy
  •  Applies the Policy-map to the control-plane interface
  • Example:
    • Queue thresholding Service Policy
      •  Commands:
        • (config)#control-plane host
        • (config-cp-host)#service-policy type queue-threshold input QUEUE_POLICY
    • Port Filter Service Policy
      • Commands:
        • (config)#control-plane host
        • (config-cp)#service-policy type port-filter input FILTER_POLICY

 

[_/su_spoiler]

Management Interface

Management Interface

  • Can provide a dedicated management interface on device
  • Handles traffic such as Telnet, SSH, SNMP etc
  • All other management traffic will be dropped unless using this dedicated interface
  • Commands:
    • (config)#control-plane host
    • (config-cp-host)#management interface <interface>

 

Troubleshooting Commands

  • #show policy-map control-plane all – Displays the control plane policy-map applied

 

 

Print Friendly, PDF & Email