Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1978
Views
0
Helpful
0
Comments

Control Plane Protection is Cisco IOS

athukral
Level 1
Level 1

‎12-05-2011 11:11 PM - edited ‎03-08-2019 06:43 PM

[toc:faq]

Introduction

This document explains the concept of Control Plane Protection is Cisco.

Prerequisites

Router running Firewal Feature set.

Concept

Control Plane Protection is Cisco IOS feature aimed at preventing infrastructure attacks, i-e attacks targeting at the router itself. Control plane implements routing and management protocols, such as OSPF, BGP, RIP, SNMP, SSH, Telnet and so on.

The most common and typical attacks against control plane are of resource exhaustion type. That is target at depleting router's resources and causing service denial. On most IOS platforms control plane run central Route Processor(CPU) in parallel with asynchronus packet switching. Packet routing is commonly implemented using CEF switching path during hardware interrupt processing task. All packets directed to the control (like routing updates, keepalives, SSH/SNMP session) plane are handled using process-switching which is most CPU intensive.

Configuration

Please refer the following sample control plane policing

ip access-list extended BGP

permit tcp any any eq bgp

class-map BGP

match access-group name BGP

policy-map Control-Plane

class BGP

police rate 2000 pps burst 100 packets

control-plane

service-policy input Control-Plane

ip access-list extended BGP

permit tcp any any eq bgp

class-map BGP

match access-group name BGP

policy-map Control-Plane

class BGP

police rate 2000 pps burst 100 packets

control-plane

service-policy input Control-Plane

Verify

ROUTER1#show policy-map Control-Plane

Control Plane

Service-policy input: Control-Plane

Class-map: BGP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name BGP

police:

rate 2000 pps, burst 100 packets

conformed 0 packets; actions:

transmit

exceeded 0 packets; actions:

drop

conformed 0 pps, exceed 0 pps

Class-map: class-default (match-any)

5 packets, 450 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Please note that in the above configuration the police command specifies rate in packets per seconds and the burst size in packets. This type of the police command is only applicable to the control-plane policy. In addition to the inputpolicy, you can configure output policing as well and limit the rate of the packets produced by the routers control plane.

Hope this document is informative for you and i want to thank you for your time.

Related Information

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents