01-14-2014 07:51 AM - edited 03-04-2019 10:04 PM
We have a 7600 router and the 7600 has 2 links with BGP.
We have a interface ACL direction in to block some traffic, for example BGP traffic.
We also have a COPP-BGP with a ACL too, with fewer blocks.
Question is which will be checked first, iACL or COPP.
After sometime reading and looking, I found a document:
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
It shows a picture with iACL before COPP, so my first thought seems to be wrong (that the COPP will be first and iACL would be checked after).
What is the order?? iACL --> COPP or COPP --> iACL
If iACL is first the COPP ACL can be less retrictive.
Does anyone know what is the right order?
thnks
Solved! Go to Solution.
01-14-2014 10:31 AM
As the packet enters the device, it will be 'seen' by the interface so the iACL will be put to action.
Once the packet is within the device, it may be punted to the CPU and that's where CoPP will be put to action.
In hardware based architecture such as the 7600, not all packets are punted to the CPU hence you will have more granular protection with iACL.
Regards,
01-14-2014 10:31 AM
As the packet enters the device, it will be 'seen' by the interface so the iACL will be put to action.
Once the packet is within the device, it may be punted to the CPU and that's where CoPP will be put to action.
In hardware based architecture such as the 7600, not all packets are punted to the CPU hence you will have more granular protection with iACL.
Regards,
01-14-2014 11:23 AM
So I will need to work better on iACL.
It´s hard to me to see how it will be usefull. I was reading about configuring DOS (Chapter 43 - Cisco 7600 IOS 15) protection with COPP and I was planning to change the specific BGP entries from iACL to COPP. Doesn´t make sense to me to use COPP to protect something that is already filtered on iACL.
Thanks for repply.
01-14-2014 11:34 AM
Both features will provide different level of protection.
Once protects your network from all traffic types, depending on its configuration (iACL)
while the other protects the device itself from a DoS against its processor (CoPP).
01-15-2014 02:07 AM
Still a little confusing to me.
The iACL has the line:
permit tcp host x.x.x.x host y.y.y.y eq bgp
permit tcp host x.x.x.x eq bpg host y.y.y.y
And COPP acl is like this:
ip access-list extended COPP-BGP
permit tcp any any eq bgp
permit tcp any eq bgp any
Policy-map to BGP is:
class COPP-BGP
police 2048000 50000 50000 conform-action transmit exceed-action transmit violate-action transmit
So the iACL protects from all BGP and COPP protects router from IPs that are allowed on iACL(x.x.x.x) if they make a DoS? Is it (2Mb/s, 50kB, 50kB). If i got it right all BGP packets that are allowed on iACL will be permitted, the packet will always be transmited. That´s why I´m thinking that COPP on this case (BGP) is useless.
We have others COPP policy that always drops.
01-15-2014 03:55 AM
So the iACL protects from all BGP and COPP protects router from IPs that are allowed on iACL(x.x.x.x) if they make a DoS? Is it (2Mb/s, 50kB, 50kB). If i got it right all BGP packets that are allowed on iACL will be permitted, the packet will always be transmited. That´s why I´m thinking that COPP on this case (BGP) is useless.
You have to keep in mind that both features work independently from each other and you can combine them.
An iACL will inspect all incomming traffic on the approriate interface(s): Data-, (Mgmt-) and Control-Plane Traffic. The iACL would even restrict BGP traffic on an intermediate non-BGP speaker's interface if you apply it.
CoPP, on the other hand, doesn't apply to Data-Plane traffic at all and it doesn't care where the Control-Plane traffic came from or if ACLs are applied on the receiving interfaces. It offers the possibility to apply policies similar to QoS mechanisms to control what and which amount of traffic will be permited to be passed to the CPU.
HTH
Rolf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide