Thursday, 8 November 2012

CoPP

CoPP - (Control Plane Policing)

I suffered two days trying to make this work but missed a fundamenal step.

Telnet traffic passing through the control-plane which is destined for another device should have its service-policy set to "Output"

A bit of theory on CoPP
(Taken from - https://sites.google.com/site/amitsciscozone/home/qos/copp---control-plane-policing)

CoPP - Control Plane PolicingDefinitions:
  • Control Plane (CP): A collection of processes that run at the process level on the route-processor (RP). These processes collectively provide high-level controls for most IOS functions.
  • Central Switch Engine: A device that is responsible for high-speed routing of IP packets. It also performs high-speed input and output services for non-distributed line cards. 
  • Distributed Switch Engine: A device that is responsible for high-speed routing of IP packets on distributed line cards without using resources from Central Switch Engine.
          All packets that are destined for CP must pass through the Central Switch Engine before they are forwarded to the process level. The CP and Central Switch Engine are part of the Route Processor (RP).


Overview:

The Control Plane Policing feature allows users to configure a QoS filter that manages the traffic flow of control plane packets to protect the CP of Cisco IOS routers and switches against various attacks like Denial-of-Service (DoS).

The CoPP feature treats the CP as a separate entity with its own input and output ports. Hence a set of rules can be established and associated to the input and output ports of the CP. These rules are only applied if the packets are destined for the CP or they exit from the CP.

Input CP services are executed after input port services and a routing decision on the input path have been made. CP security and packet QoS are applied on-
  1. Aggregate CP Services: An aggregate level by the Central Switch Engine and applied to all CP packets received from all line cards on the router
  2. Distributed CP Services: A distributed level by the Distributed Switch Engine of a line card and applied to all applied to all CP packets received from all line cards on the router.

Types of packets forwarded to CP:

The following L3 packets are forwarded to the CP and processed by aggregate and distributed control plane policing-
  1. Routing protocol control packets 
  2. Packets destined for the local IP address of the router
  3. Packets from management protocols like SNMP, Telnet & SSH.


 Topology above 

R4

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 40.0.0.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.20.0.1 255.255.255.0
!
router ospf 1
  redistribute connected subnets
 network 10.20.0.0 0.0.0.255 area 0
 default-information originate

R5

class-map match-any TELNET
 match access-group name TELNET
class-map match-any RATE.LIMIT
 match access-group name RATE.LIMIT
!
policy-map CoPP
 class TELNET
   drop
 class RATE.LIMIT
    police 8000 conform-action transmit  exceed-action drop  violate-action drop
!
interface FastEthernet0/0
 ip address 10.20.0.2 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.0.2 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.10.0.0 0.0.0.255 area 0
 network 10.20.0.0 0.0.0.255 area 0
!
ip access-list extended RATE.LIMIT
 permit icmp host 4.4.4.4 host 6.6.6.6
ip access-list extended TELNET
 permit tcp host 4.4.4.4 host 6.6.6.6 eq telnet

R6

interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/1
 ip address 10.10.0.1 255.255.255.0
!
router ospf 1
 redistribute connected subnets
 network 10.10.0.0 0.0.0.255 area 0


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)