Solved: Re: problem with LDP and CoPP

unfraget1 · ‎07-30-2018

hi here

i've issue with control plane policy on AS1001.
i configured follow statement:

class-map match-all MGMT
 match access-group name MGMT
class-map match-all ICMP
 match access-group name ICMP
class-map match-all ANY_TRAFF
 match access-group name ANY_TRAFF
class-map match-all ROUTING
 match access-group name ROUTING
class-map match-all CVE-2018-0151
 match access-group name CVE-2018-0151

policy-map ControlPlane
 class CVE-2018-0151
  police cir 8000 conform-action drop
 class ROUTING
  police 1000000 50000 50000 conform-action transmit  exceed-action drop
 class MGMT
  police 1000000 50000 50000 conform-action transmit  exceed-action drop
 class ICMP
  police cir 50000 bc 5000 be 5000 conform-action transmit  exceed-action drop
 class ANY_TRAFF
  police 50000 5000 5000 conform-action transmit  exceed-action drop
 class class-default
  police 8000 1500 1500 conform-action transmit  exceed-action transmit

ip access-list extended ANY_TRAFF
 permit tcp any any
 permit udp any any
 permit icmp any any
 permit ip any any
ip access-list extended CVE-2018-0151
 permit udp any any eq 18999
 permit udp any eq 18999 any
ip access-list extended ICMP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any port-unreachable
 permit icmp any any unreachable
 permit pim any any
 permit udp any any eq pim-auto-rp
 permit igmp any any
 permit gre any any

ip access-list extended MGMT
 permit tcp xxx.xx.144.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq telnet
 permit tcp xxx.xx.144.0 0.0.0.255 eq telnet 77.xx.xx.0 0.0.31.255 established
 permit tcp 77.xx.xx.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq telnet
 permit tcp 77.xx.xx.0 0.0.0.255 eq telnet 77.xx.xx.0 0.0.31.255 established
 permit tcp 172.16.0.0 0.15.255.255 77.xx.xx.0 0.0.31.255 eq 22
 permit tcp 172.16.0.0 0.15.255.255 eq 22 77.xx.xx.0 0.0.31.255 established
 permit tcp xxx.xx.144.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq 22
 permit tcp xxx.xx.144.0 0.0.0.255 eq 22 77.xx.xx.0 0.0.31.255 established
 permit tcp 77.xx.xx.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq 22
 permit tcp 77.xx.xx.0 0.0.0.255 eq 22 77.xx.xx.0 0.0.31.255 established
 permit udp xxx.xx.144.0 0.0.0.255 77.xx.xx.0 0.0.31.255 eq snmp
 permit tcp host xxx.xx.177.65 77.xx.xx.0 0.0.31.255 eq ftp
 permit tcp host xxx.xx.177.65 77.xx.xx.0 0.0.31.255 eq ftp-data
 permit udp host xxx.xx.177.44 77.xx.xx.0 0.0.31.255 eq syslog
 permit udp host 85.xx.xx.xx eq domain 77.xx.xx.0 0.0.31.255
 permit udp host xxx.xx.xx.77 eq domain 77.xx.xx.0 0.0.31.255
 permit udp host xxx.xx.144.1 77.xx.xx.0 0.0.31.255 eq ntp
 permit udp host 128.184.1.1 77.xx.xx.0 0.0.31.255 eq ntp
ip access-list extended ROUTING
 permit tcp any gt 1024 77.xx.xx.0 0.0.31.255 eq bgp
 permit tcp any eq bgp 77.xx.xx.0 0.0.31.255 gt 1024 established
 permit tcp any gt 1024 77.xx.xx.0 0.0.31.255 eq 639
 permit tcp any eq 639 77.xx.xx.0 0.0.31.255 gt 1024 established
 permit tcp any 77.xx.xx.0 0.0.31.255 eq 646
 permit udp any 77.xx.xx.0 0.0.31.255 eq 646
 permit ospf any 77.xx.xx.0 0.0.31.255
 permit ospf any host 224.0.0.5
 permit ospf any host 224.0.0.6
 permit eigrp any 77.xx.xx.0 0.0.31.255
 permit eigrp any host 224.0.0.10

policies works, however, sometime LDP relationship is fail down.
in output "show policy-map control-plane", i see that, in rule for class map ANY_TRAFF has drops.
although LDP traffic should be matched with class map ROUTING

permit tcp any 77.xx.xx.0 0.0.31.255 eq 646
permit udp any 77.xx.xx.0 0.0.31.255 eq 646

i seems that, traffic not handled of these rules.

What am I doing wrong?

unfraget1 · ‎08-03-2018

as it turned out, firstly, LDP uses UDP 646 between IP PE for target LDP session, in order for the tLDP work properly , necessary to create follow statement in ACL:

permit udp any host 224.0.0.2 eq 646
permit udp any eq 646 any eq 646
permit tcp any host IP PE eq 646
permit udp any eq 646 host IP PE eq 646

i was confused, because, earlier i think that tLDP uses only tcp for relationship.

View solution in original post

jmperlewitz · ‎07-30-2018

Not sure why you have the following configured:

class-map match-all ANY_TRAFF
 match access-group name ANY_TRAFF

You should probably delete that. I believe that is catching all your traffic before it can hit your ROUTING or CVE policies. That is why you are seeing drops on that class-map.

You should uniquely identify all the critical traffic that could tip over your control-plane and police it. Anything that is not caught in your class-maps should hit the class-default and be policed according to your class-default settings. It is not necessary to create a "catch-all" class like you are doing right now.

unfraget1 · ‎07-30-2018

he!

i'll try do it.

strangely, because LDP traffic should be handled in class map ROUTING and don't hit the class ANY-TRAFF.

a.alekseev · ‎07-31-2018

LDP uses not only unicast but multicast.

unfraget1 · ‎07-31-2018

interesting idea

paul driver · ‎07-31-2018

Hello

Can you post te output from:

sh mpls ldp neighbor

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎07-31-2018

Hello,

on a side note, looking at the best practices for a CoPP policy, the routing class transmits even exceed traffic, not sure if that makes a difference, but you might want to change that:

class ROUTING
police 1000000 50000 50000 conform-action transmit exceed-action transmit

unfraget1 · ‎08-02-2018

why? i showed my config in head of post

class ROUTING
police 1000000 50000 50000 conform-action transmit exceed-action drop
class MGMT
police 1000000 50000 50000 conform-action transmit exceed-action drop

for class of ROUTING when traffic exceed will be perform the action - drop.

action transmit was make for calss default, yes, this wrong. i fixed it :)

Georg Pauwen · ‎08-02-2018

The best practices document says the routing traffic should not be dropped...that is why I mentioned it. It actually makes sense not to drop it...

I have linked the doc I am referring to below, here is what the policy should look like:

policy-map RTR_CoPP
class Undesirable
police 8000 1500 1500 conform-action drop exceed-action drop
class Routing
police 1000000 50000 50000 conform-action transmit exceed-action transmit
class Management
police 100000 20000 20000 conform-action transmit exceed-action drop
class Normal
police 50000 5000 5000 conform-action transmit exceed-action drop
class Catch-All-IP
police 50000 5000 5000 conform-action transmit exceed-action drop
class class-default
police 8000 1500 1500 conform-action transmit exceed-action transmit

https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html

unfraget1 · ‎08-02-2018

very interesting, than i changed action drop to transmit for class of routing, LDP ceased to fail.
However if i'm returning action "drop" instead "transmit" LDP again for fail.
why happen it ?

because i added into ACL "ROUTING" necessary statement.

because i added into ACL "ROUTING" necessary statement.
50 permit ip any host 224.0.0.2
60 permit tcp any 77.94.160.0 0.0.31.255 eq 646
70 permit udp any 77.94.160.0 0.0.31.255 eq 646

Georg Pauwen · ‎08-02-2018

The ACL is working, it is just that no routing traffic including LDP should be dropped. The fact that no LDP failures occur when you allow excess traffic to transmit means that there is a lot of traffic being matched in the ROUTING class, more than your policer allows.

I guess as an alternative, you could also increase the policer values...

unfraget1 · ‎08-02-2018

another moment

if i'm configuring the follow rules

policy-map CoPP
 class CVE-2018-0151
  police cir 8000 conform-action drop
 class ROUTING
  police 10000 conform-action transmit  exceed-action transmit
 class MGMT
  police 10000 conform-action transmit  exceed-action drop
 class ICMP
  police cir 50000 bc 5000 be 5000 conform-action transmit  exceed-action drop
 class class-default
  police 8000 1500 1500 conform-action transmit  exceed-action drop

ldp continuously to fail

%LDP-5-NBRCHG: LDP Neighbor 77.xx.xx.1:0 (1) is DOWN (Session KeepAlive Timer expired)
%LDP-5-NBRCHG: LDP Neighbor 77.xx.xx.4:0 (4) is DOWN (Session KeepAlive Timer expired)
%LDP-5-NBRCHG: LDP Neighbor 77.xx.xx.5:0 (2) is DOWN (Session KeepAlive Timer expired)

necessary rules added in ACL

LDP traffic should be matches of rules

sh ip access-lists ROUTING
Extended IP access list ROUTING
    50 permit ip any host 224.0.0.2
    60 permit tcp any 77.xx.xx.0 0.0.31.255 eq 646
    70 permit udp any 77.xx.xx.0 0.0.31.255 eq 646

However, this doesn't happen

and the LDP traffic is handling in rules of class class-default where dropped

if i'm changing exceed-action drop to exceed-action transmit for class class-default everything starts to work

Georg Pauwen · ‎08-02-2018

Hello,

in your original post, your ROUTING class access list was the below:

ip access-list extended ROUTING
permit tcp any gt 1024 77.xx.xx.0 0.0.31.255 eq bgp
permit tcp any eq bgp 77.xx.xx.0 0.0.31.255 gt 1024 established
permit tcp any gt 1024 77.xx.xx.0 0.0.31.255 eq 639
permit tcp any eq 639 77.xx.xx.0 0.0.31.255 gt 1024 established
permit tcp any 77.xx.xx.0 0.0.31.255 eq 646
permit udp any 77.xx.xx.0 0.0.31.255 eq 646
permit ospf any 77.xx.xx.0 0.0.31.255
permit ospf any host 224.0.0.5
permit ospf any host 224.0.0.6
permit eigrp any 77.xx.xx.0 0.0.31.255
permit eigrp any host 224.0.0.10

Now I see '50 permit ip any host 224.0.0.2' in there; 224.0.0.2 is typically used by routers for HSRP hello packets. Which makes me wonder what your topology looks like, do you have HSRP actually configured ?

Either way, the routing class should transmit eveything, even the excess traffic.

unfraget1 · ‎08-02-2018

no i haven't

i added 224.0.0.2 for LDP

LDP using multicast address 224.0.0.2 for send hello packets

Georg Pauwen · ‎08-02-2018

OK, I was just wondering since you didn't have that multicast address in the access list you originally posted...