Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6812
Views
0
Helpful
0
Comments

CoPP - Control Plane Policing

vivkalra
Level 1
Level 1

‎12-12-2009 08:31 PM - edited ‎03-12-2019 09:25 AM

CoPP - Control Plane Policing

Definitions:

  • Control Plane (CP): A collection of processes that run at the process level on the route-processor (RP). These processes collectively provide high-level controls for most IOS functions.
  • Central Switch Engine: A device that is responsible for high-speed routing of IP packets. It also performs high-speed input and output services for non-distributed line cards.
  • Distributed Switch Engine: A device that is responsible for high-speed routing of IP packets on distributed line cards without using resources from Central Switch Engine.

       

  All packets that are destined for CP must pass through the Central Switch Engine before they are forwarded to the process level. The CP and Central Switch Engine are part of the Route Processor (RP).

Overview:

The Control Plane Policing feature allows users to configure a QoS filter that manages the traffic flow of control plane packets to protect the CP of Cisco IOS routers and switches against various attacks like Denial-of-Service (DoS).

The CoPP feature treats the CP as a separate entity with its own input and output ports. Hence a set of rules can be established and associated to the input and output ports of the CP. These rules are only applied if the packets are destined for the CP or they exit from the CP.

Input CP services are executed after input port services and a routing decision on the input path have been made. CP security and packet QoS are applied on-

  1. Aggregate CP Services: An aggregate level by the Central Switch Engine and applied to all CP packets received from all line cards on the router
  2. Distributed CP Services: A distributed level by the Distributed Switch Engine of a line card and applied to all applied to all CP packets received from all line cards on the router.

Types of packets forwarded to CP:

The following L3 packets are forwarded to the CP and processed by aggregate and distributed control plane policing-

  1. Routing protocol control packets
  2. Packets destined for the local IP address of the router
  3. Packets from management protocols like SNMP, Telnet & SSH.

CoPP Configuration:

All Telnet traffic with source address 1.1.1.1 is allowed without constraint, however, any remaining Telnet traffic is policed at the specified rate.

CoPP Configuration

ip access-list extended CoPP_traffic
deny tcp host 1.1.1.1 host 2.2.2.2 eq telnet ! Allow this traffic unconstrained
permit tcp any any eq telnet                 ! Rate-limit this traffic
!
class-map Telnet_class
match access-group name CoPP_traffic
!
policy-map CoPP_policy
class Telnet_class
  police cir 8000
   conform-action transmit
   exceed-action drop
!
control-plane
service-policy input CoPP_policy
!

When a Telnet connection is initiated to 2.2.2.2 with source address 10.1.1.1, it matches the access-list and policing is imposed upon the traffic since the source address is not 1.1.1.1

debug ip packet detail

IP: s=10.1.1.1 (Serial0/0), d=2.2.2.2, len 44, rcvd 4
     TCP src=60033, dst=23, seq=2907233763, ack=0, win=4128 SYN
IP: s=2.2.2.2 (local), d=10.1.1.1 (Serial0/0), len 44, sending
     TCP src=23, dst=60033, seq=3862546484, ack=2907233764, win=4128 ACK SYN
IP: s=10.1.1.1 (Serial0/0), d=2.2.2.2, len 40, rcvd 4
     TCP src=60033, dst=23, seq=2907233764, ack=3862546485, win=4128 ACK

The

show policy-map control-plane is used to display the service-policy associated to the control-plane. It also shows the packets that matched the class-map. This can be verified using

show access-list command too.

Policy-map verification

R2# show policy-map control-plane
Control Plane

  Service-policy input: CoPP_policy

    Class-map: Telnet_class (match-all)
      62 packets, 2866 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name CoPP_traffic
      police:
          cir 8000 bps, bc 1500 bytes
        conformed 62 packets, 2866 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      38 packets, 2944 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

R2# show access-list
Extended IP access list CoPP_traffic
    10 deny tcp host 1.1.1.1 host 2.2.2.2 eq telnet
    20 permit tcp any any eq telnet (62 matches)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents