cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3366
Views
10
Helpful
5
Replies

iACL vs COPP

imfvieira
Level 1
Level 1

We have a 7600 router and the 7600 has 2 links with BGP.

We have a interface ACL direction in to block some traffic, for example BGP traffic.

We also have a COPP-BGP with a ACL too, with fewer blocks.

Question is which will be checked first, iACL or COPP.
After sometime reading and looking, I found a document:

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

It shows a picture with iACL before COPP, so my first thought seems to be wrong (that the COPP will be first and iACL would be checked after).

What is the order?? iACL --> COPP or COPP --> iACL

If iACL is first the COPP ACL can be less retrictive.

Does anyone know what is the right order?

thnks

1 Accepted Solution

Accepted Solutions

Edison Ortiz
Hall of Fame
Hall of Fame

As the packet enters the device, it will be 'seen' by the interface so the iACL will be put to action.

Once the packet is within the device, it may be punted to the CPU and that's where CoPP will be put to action.

In hardware based architecture such as the 7600, not all packets are punted to the CPU hence you will have more granular protection with iACL.

Regards,

View solution in original post

5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

As the packet enters the device, it will be 'seen' by the interface so the iACL will be put to action.

Once the packet is within the device, it may be punted to the CPU and that's where CoPP will be put to action.

In hardware based architecture such as the 7600, not all packets are punted to the CPU hence you will have more granular protection with iACL.

Regards,

So I will need to work better on iACL.

It´s hard to me to see how it will be usefull. I was reading about configuring DOS (Chapter 43 - Cisco 7600 IOS 15) protection with COPP and I was planning to change the specific BGP entries from iACL to COPP. Doesn´t make sense to me to use COPP to protect something that is already filtered on iACL.

Thanks for repply.

Both features will provide different level of protection.

Once protects your network from all traffic types, depending on its configuration (iACL)

while the other protects the device itself from a DoS against its processor (CoPP).

Still a little confusing to me.

The iACL has the line:

permit tcp host x.x.x.x host y.y.y.y eq bgp

permit tcp host x.x.x.x eq bpg host y.y.y.y

And COPP acl is like this:

ip access-list extended COPP-BGP

permit tcp any any eq bgp

permit tcp any eq bgp any

Policy-map to BGP is:

class COPP-BGP

police 2048000 50000 50000 conform-action transmit exceed-action transmit violate-action transmit

So the iACL protects from all BGP and COPP protects router from IPs that are allowed on iACL(x.x.x.x) if they make a DoS? Is it (2Mb/s, 50kB, 50kB). If i got it right all BGP packets that are allowed on iACL will be permitted, the packet will always be transmited. That´s why I´m thinking that COPP on this case (BGP) is useless.

We have others COPP policy that always drops.

So the iACL protects from all BGP and COPP protects router from IPs that  are allowed on iACL(x.x.x.x) if they make a DoS? Is it (2Mb/s, 50kB,  50kB). If i got it right all BGP packets that are allowed on iACL will  be permitted, the packet will always be transmited. That´s why I´m  thinking that COPP on this case (BGP) is useless.

You have to keep in mind that both features work independently from each other and you can combine them.

An iACL will inspect all incomming traffic on the approriate interface(s): Data-, (Mgmt-) and Control-Plane Traffic. The iACL would even restrict BGP traffic on an intermediate non-BGP speaker's interface if you apply it.

CoPP, on the other hand, doesn't apply to Data-Plane traffic at all and it doesn't care where the Control-Plane traffic came from or if ACLs are applied on the receiving interfaces. It offers the possibility to apply policies similar to QoS mechanisms to control what and which amount of traffic will be permited to be passed to the CPU.

HTH

Rolf

Review Cisco Networking for a $25 gift card