Re: Control Plane Policing

RanilG · ‎11-06-2008

Hi,

How beneficial is CoPP in the context of device hardening?

What are the drawbacks of applying CoPP on an Internet Border Gateway.

Is CoPP approach analogous to IPTABLES INPUT/OUTPUT chains?

Thanks for your thoughts.

Collin Clark · ‎11-06-2008

How beneficial is CoPP in the context of device hardening?

I never really thought of it as hardening, but now that you brought it up, it certainly makes sense that it is. I think it's pretty important, especially in places where you can't get console access.

What are the drawbacks of applying CoPP on an Internet Border Gateway.

I don't think anything...

Is CoPP approach analogous to IPTABLES INPUT/OUTPUT chains?

No. CoPP is QoS on the control plane (ie Telnet/SSH, ICMP, SNMP, IGP).

Here's a good link I found on CoPP. If you need a real world config of CoPP check the second link.

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

http://tinyurl.com/5cmp2y

Hope that helps.

RanilG · ‎11-07-2008

What about the router resource utilization (CPU,etc)? Could there be any performance hits once CoPP is enabled?

Collin Clark · ‎11-07-2008

Negligible. It, like QoS on the data plane, is only enacted during congestion.

RanilG · ‎11-09-2008

Hi Collin,

Have you deployed this already?

Based on your experience, any particular points one may have to focus on during implementation?

Many Thanks,

Collin Clark · ‎11-10-2008

Yes I've deployed it. Be sure to test in the lab and make sure you get the protocols you need implemented. Unfortunately it's one of things you hope is configured correctly when things go wrong.