Hi!

I have several questions about CP policing and protection. I read:

Cisco IOS Security Configuration Guide: Securing the Control Plane 12.4T

Infrastructure Protection on Cisco IOS Software-Based Platforms

Control Plane Policing chapter in Cisco IOS Quality of Service Solutions Configuration Guide 12.4T and some other docs.

Still have questions.

We have DMVPN (GRE over IPSec, AES 256bit encryption) network with Cisco 1811 (IOS 12.4T) as hubs and Cisco 871 (IOS 12.4T) as spokes.

Let's start with the spokes. Spokes are doing only VPN connection to the HQ, nothing more.

Q 1.

1) We have ALCs on external interfaces allowing only: ESP, ISAKMP, SSH and ICMP from the hub (sic!).

2) Because of poor CPU in encryption to protect CPU from overload (some of the lines have quite high speeds) I decided to restrict traffic volume to router and changed all the interfaces speeds to 10mbps FD.

3) Besides, I am going to use shaping and polcing to further restrict traffic volume to\from the external interfaces down to 5mbps. (My tests showed that the router can handle only 4.5-5mbps full duplex encrypted traffic with our configs while CPU load is still 80% or lower. On 6-7mbps it reaches 100% load)

Taking into account the above mentioned, do I still need CoPP as DoS protection?

I mean I believe this router is able to process 10mbps (unencrypted) traffic flowing simultaneously through its LAN and 3 WAN interfaces, why should I use CoPP? Proccessing would be in fact to process hub traffic and drop all foreign traffic according to the ACLs (of course I am not protected from LAN side, but 10mbps interface speed would be good protection, IMHO).

I wrote the following config for CoPP (for CP transit and CEF exceptions I just did not know which limits to set and just set quite high limits, need your advice on the limits values):

ip access-list extended cp_esp

permit esp any any

deny   ip any any

ip access-list extended cp_icmp

permit icmp any any

deny   ip any any

ip access-list extended cp_isakmp

permit udp any eq isakmp any eq isakmp

deny   ip any any

ip access-list extended cp_ssh

permit tcp any any eq 22

deny   ip any any

class-map match-all cp_ssh

match access-group name cp_ssh

class-map match-all cp_esp

match access-group name cp_esp

class-map match-all cp_isakmp

match access-group name cp_isakmp

class-map match-all cp_icmp

match access-group name cp_icmp

policy-map CP_Policy_Host

class cp_icmp

    police 50000 conform-action transmit  exceed-action drop

class cp_isakmp

    police 50000 conform-action transmit  exceed-action drop

class cp_esp

    police 5000000 conform-action transmit  exceed-action drop

class cp_ssh

    police 20000 conform-action transmit  exceed-action drop

class class-default

    police 10000 conform-action transmit  exceed-action drop

policy-map CP_Policy_Transit

class class-default

    police 10000000 conform-action transmit  exceed-action drop

policy-map CP_Policy_CEF-Exc

class class-default

    police 1000000 conform-action transmit  exceed-action drop

Q 2. I used 5mbps limit for ESP and much lower for other types of traffic on CP host, 10mbps common limit on transit and 1mbps common limit on CEF exceptions subinterface.

Please advice the values taking into account the routers model is Cisco 871? (ignore our traffic real valumes, tell me the limits this router can still handle without 100% CPU load, please)

Q 3. I see only ISAKMP traffic is being matched, ESP is not in class-map cp_esp!?

The same time I can see ESP is matched by the ACL applied to the respective external interfaces. Why? ESP is not reaching CP? But this routers are doing software based encryption\decryption!

I don't understand this. Please clarify.

Q 4. Only quite a low volume of traffic is matched by CEF exceptions policy and almost none by Transit policy!? Why?

And to which limits I can safely decrease the values?

Thank you in advance.