Control Plane (CP): A collection of processes that run at the process level on the route-processor (RP). These processes collectively provide high-level controls for most IOS functions.
Central Switch Engine: A device that is responsible for high-speed routing of IP packets. It also performs high-speed input and output services for non-distributed line cards.
Distributed Switch Engine: A device that is responsible for high-speed routing of IP packets on distributed line cards without using resources from Central Switch Engine.
All packets that are destined for CP must pass through the Central Switch Engine before they are forwarded to the process level. The CP and Central Switch Engine are part of the Route Processor (RP).
The Control Plane Policing feature allows users to configure a QoS filter that manages the traffic flow of control plane packets to protect the CP of Cisco IOS routers and switches against various attacks like Denial-of-Service (DoS).
The CoPP feature treats the CP as a separate entity with its own input and output ports. Hence a set of rules can be established and associated to the input and output ports of the CP. These rules are only applied if the packets are destined for the CP or they exit from the CP.
Input CP services are executed after input port services and a routing decision on the input path have been made. CP security and packet QoS are applied on-
Aggregate CP Services: An aggregate level by the Central Switch Engine and applied to all CP packets received from all line cards on the router
Distributed CP Services: A distributed level by the Distributed Switch Engine of a line card and applied to all applied to all CP packets received from all line cards on the router.
Types of packets forwarded to CP:
The following L3 packets are forwarded to the CP and processed by aggregate and distributed control plane policing-
Routing protocol control packets
Packets destined for the local IP address of the router
Packets from management protocols like SNMP, Telnet & SSH.
All Telnet traffic with source address 18.104.22.168 is allowed without constraint, however, any remaining Telnet traffic is policed at the specified rate.
ip access-list extended CoPP_traffic deny tcp host 22.214.171.124 host 126.96.36.199 eq telnet ! Allow this traffic unconstrained permit tcp any any eq telnet ! Rate-limit this traffic ! class-map Telnet_class match access-group name CoPP_traffic ! policy-map CoPP_policy class Telnet_class police cir 8000 conform-action transmit exceed-action drop ! control-plane service-policy input CoPP_policy !
When a Telnet connection is initiated to 188.8.131.52 with source address 10.1.1.1, it matches the access-list and policing is imposed upon the traffic since the source address is not 184.108.40.206
debug ip packet detail
IP: s=10.1.1.1 (Serial0/0), d=220.127.116.11, len 44, rcvd 4 TCP src=60033, dst=23, seq=2907233763, ack=0, win=4128 SYN IP: s=18.104.22.168 (local), d=10.1.1.1 (Serial0/0), len 44, sending TCP src=23, dst=60033, seq=3862546484, ack=2907233764, win=4128 ACK SYN IP: s=10.1.1.1 (Serial0/0), d=22.214.171.124, len 40, rcvd 4 TCP src=60033, dst=23, seq=2907233764, ack=3862546485, win=4128 ACK
show policy-map control-plane is used to display the service-policy associated to the control-plane. It also shows the packets that matched the class-map. This can be verified using
show access-list command too.
R2# show policy-map control-plane Control Plane Service-policy input: CoPP_policy Class-map: Telnet_class (match-all) 62 packets, 2866 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name CoPP_traffic police: cir 8000 bps, bc 1500 bytes conformed 62 packets, 2866 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Class-map: class-default (match-any) 38 packets, 2944 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: anyR2# show access-list Extended IP access list CoPP_traffic 10 deny tcp host 126.96.36.199 host 188.8.131.52 eq telnet 20 permit tcp any any eq telnet (62 matches)
Hi, we recenlty integrated our AD to call manager, however a we left he Phone number attribute to telephone. this has messed our corporate directory. we need to change the phone number attribute to IPphone now and perform a sync, we are un...
Hello All - We have a CTI Route Point (1111) pointed towards UC and there we created a Call handler. When the caller opts for any option, that will transfer the call to number 2222 which we created as Hunt Pilot number in CUCM. When the agents ...
Hi If there are offices in India with Cisco Telepresence codecs registered to the US UCM Cluster and planning to use them to dial into Cisco WebEx Conferences , which pass over the network to Expressways in US and then into Cisco Cloud. Do these comply wi...
Hello all, I am facing a weird issue where my Cisco Unity is not turning the MWI on for any user that has received a new voicemail. I am not talkting about the MWI on the phone but the value itself on the Cisco Unity platform. I have alreadIP Telepho...
Hi all; I have a CME with IP phones configured and something weir happened, here the explanation:When the receptionist phone gets an external call and receptionist wants to fwd the call to the per...