Control Plane (CP): A collection of processes that run at the process level on the route-processor (RP). These processes collectively provide high-level controls for most IOS functions.
Central Switch Engine: A device that is responsible for high-speed routing of IP packets. It also performs high-speed input and output services for non-distributed line cards.
Distributed Switch Engine: A device that is responsible for high-speed routing of IP packets on distributed line cards without using resources from Central Switch Engine.
All packets that are destined for CP must pass through the Central Switch Engine before they are forwarded to the process level. The CP and Central Switch Engine are part of the Route Processor (RP).
The Control Plane Policing feature allows users to configure a QoS filter that manages the traffic flow of control plane packets to protect the CP of Cisco IOS routers and switches against various attacks like Denial-of-Service (DoS).
The CoPP feature treats the CP as a separate entity with its own input and output ports. Hence a set of rules can be established and associated to the input and output ports of the CP. These rules are only applied if the packets are destined for the CP or they exit from the CP.
Input CP services are executed after input port services and a routing decision on the input path have been made. CP security and packet QoS are applied on-
Aggregate CP Services: An aggregate level by the Central Switch Engine and applied to all CP packets received from all line cards on the router
Distributed CP Services: A distributed level by the Distributed Switch Engine of a line card and applied to all applied to all CP packets received from all line cards on the router.
Types of packets forwarded to CP:
The following L3 packets are forwarded to the CP and processed by aggregate and distributed control plane policing-
Routing protocol control packets
Packets destined for the local IP address of the router
Packets from management protocols like SNMP, Telnet & SSH.
All Telnet traffic with source address 220.127.116.11 is allowed without constraint, however, any remaining Telnet traffic is policed at the specified rate.
ip access-list extended CoPP_traffic deny tcp host 18.104.22.168 host 22.214.171.124 eq telnet ! Allow this traffic unconstrained permit tcp any any eq telnet ! Rate-limit this traffic ! class-map Telnet_class match access-group name CoPP_traffic ! policy-map CoPP_policy class Telnet_class police cir 8000 conform-action transmit exceed-action drop ! control-plane service-policy input CoPP_policy !
When a Telnet connection is initiated to 126.96.36.199 with source address 10.1.1.1, it matches the access-list and policing is imposed upon the traffic since the source address is not 188.8.131.52
debug ip packet detail
IP: s=10.1.1.1 (Serial0/0), d=184.108.40.206, len 44, rcvd 4 TCP src=60033, dst=23, seq=2907233763, ack=0, win=4128 SYN IP: s=220.127.116.11 (local), d=10.1.1.1 (Serial0/0), len 44, sending TCP src=23, dst=60033, seq=3862546484, ack=2907233764, win=4128 ACK SYN IP: s=10.1.1.1 (Serial0/0), d=18.104.22.168, len 40, rcvd 4 TCP src=60033, dst=23, seq=2907233764, ack=3862546485, win=4128 ACK
show policy-map control-plane is used to display the service-policy associated to the control-plane. It also shows the packets that matched the class-map. This can be verified using
show access-list command too.
R2# show policy-map control-plane Control Plane Service-policy input: CoPP_policy Class-map: Telnet_class (match-all) 62 packets, 2866 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name CoPP_traffic police: cir 8000 bps, bc 1500 bytes conformed 62 packets, 2866 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Class-map: class-default (match-any) 38 packets, 2944 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: anyR2# show access-list Extended IP access list CoPP_traffic 10 deny tcp host 22.214.171.124 host 126.96.36.199 eq telnet 20 permit tcp any any eq telnet (62 matches)