Recently I was tasked with implementing Control Plane Policing on a Cisco 6500 sup720-3BXL. This proved to be more complicated that at first thought.
Background: CoPP was first introduced as Control Plane Policing and then later as the more granular Control Plane Protection. This blog deals with the implementation of Control Plane Policing, as Control Plane Protection is not yet available in the version of IOS I was working with (Advanced IP Services 12.2(33)). The control plane is essentially where traffic destined for the actual device is processed – such as telnet, ssh, icmp etc. Anything passing through the device traverses the data plane. Cisco devices can themselves be the target of malicious attack, and consequently it is worthwhile locking down the control plane to allow only legitimate traffic. With the increase in DDoS attacks this is something that more and more organisations are realizing they can no longer ignore.
Implementation: In terms of configuration the control plane should be considered as an interface though which any traffic destined for the device must pass. This traffic can enter through any physical interface, but before it is processed it passes through the control plane “interface”. Consequently it is a simple case of appling a service policy to this interface to filter different traffic types and deal with them accordingly. Traffic is matched using access lists, classified using class-maps, and policed using policy-maps. The policy-map is then applied to the control plane “interface” as a service policy. Cisco have a best practice “white paper” on the subject, although their implementation I found to be problematic on a 6500 switch.
It can be found here: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
Another resource I borrowed heavily from (in order to achieve a working config) can be found here: http://aharp.ittns.northwestern.edu/papers/copp.html
Set-up and Configuration: The first step is to classify the types of traffic you want to receive. I opted for critical, important, normal, undesirable, and default. Access lists are used to match traffic for each class. For example:
Critical
Critical traffic is essentially routing protocols. Routing protocols ensure the integrity of the network and ideally should not be policed.
ip access-list extended critical-in remark Control plane critical traffic - inbound remark BGP permit tcp any gt 1024 any eq bgp permit tcp any eq bgp any gt 1024 established remark LDP permit tcp any any eq 646 permit udp any any eq 646 remark OSPF permit ospf any any permit ospf any host 224.0.0.5 permit ospf any host 224.0.0.6 deny ip any any
Important
Important traffic here is characterised as management traffic. Matching managment access and network monitoring etc.
ip access-list extended important-in remark Control plane important traffic - inbound remark TELNET permit tcp any eq telnet permit tcp eq telnet any established remark SSH permit tcp any eq 22 permit tcp eq 22 any established remark SNMP permit udp any eq snmp permit udp any eq syslog remark NTP permit udp host any eq ntp permit udp host any eq ntp permit udp any eq tftp deny ip any any
Normal
In this instance normal traffic includes ICMP, and GRE protocols
ip access-list extended normal-in remark Control plane normal traffic - inbound remark ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any packet-too-big permit icmp any any port-unreachable permit icmp any any parameter-problem permit icmp any any time-exceeded permit icmp any any unreachable remark GRE permit gre any any deny ip any any
Undesirable
Undesirable traffic is identified as known malicious protocols
ip access-list extended undesirable-in remark Control plane undesirable traffic - inbound permit icmp any any fragments permit udp any any fragments permit tcp any any fragments permit ip any any fragments permit udp any any eq 1434 permit tcp any any eq 639 rst permit tcp any any eq bgp rst permit udp any any eq snmptrap deny ip any any
Default
This is a standard access list to catch everything else.
access-list 2 remark utility ACL to allow everything access-list 2 permit any
Set-up Class Maps: The access lists are then assigned to class maps:
class-map match-all normal-in description Control plane normal traffic match access-group name normal-in class-map match-all critical-in description Control plane critcal traffic match access-group name critical-in class-map match-any undesirable-in description Control plane undesirable traffic match access-group name undesirable-in class-map match-all important-in description Control plane important traffic match access-group name important-in class-map match-all default-in description Control plane default traffic match access-group 2
Set-up Policy Map: The class maps are assigned to a policy map.
policy-map control-plane-in class critical-in class important-in police 400000 200000 200000 conform-action transmit exceed-action drop class normal-in police 400000 200000 200000 conform-action transmit exceed-action drop class undesirable-in police 400000 200000 200000 conform-action transmit exceed-action drop class default-in police 400000 200000 200000 conform-action transmit exceed-action drop
The policy map processes each class map in a cascading top, down, sequence. The critical-in class is not policed at all. Any traffic denied from this class is then passed through to the important-in class, where matching traffic is policed. Any unmatched traffic (denied traffic) is then passed through to the next class-map, ending with the default-in class.
My initial configuration policed the critical-in class as well (matching routing protocols) but for some reason this impacted LDP packets tearing down MPLS. I have yet to understand why this was the case as no traffic was dropped via the class map exceed-action, and udp/tcp 646 was being matched.
Apply Policy Map: It’s obviously important to test the configuration before implementing in a live environment, however applying the policy map to the control plane is very simple:
control-plane service-policy input control-plane-in
Monitoring and testing: Not too much to report back with, however the following is useful:
show policy-map control-plane show ip access-list
You can also try performing an extended ping from another device towards the control plane. You should see packets being policed forming a regular pattern.
Router#ping repeat 10000 size 1500
Type escape sequence to abort.
Sending 10000, 1500-byte ICMP Echos to , timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Router#show policy-map control-plane | b class-map: cp-normal-in class-map: normal-in (match-all) Match: access-group name normal-in police : 400000 bps 200000 limit 200000 extended limit Earl in slot 5 : 56132370 bytes 5 minute offered rate 197448 bps aggregate-forwarded 55964652 bytes action: transmit exceeded 167718 bytes action: drop aggregate-forward 502096 bps exceed 3704 bps
The Traceroute Blog 