Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1750
Views
0
Helpful
2
Replies

How to effectively use Control Plane Policing (CoPP) to neglect a ARP DDoS

Go to solution
kapslock
Level 1
Level 1

‎10-27-2020 07:32 AM

Greetings fellow Cisco colleagues!

 

After a long troubleshooting period and finally tracing down the issue, we have now confirmed that on our network we have multiple clients DDoS ARP Requesting which spikes our CPU and causes packet drops. Hence I am looking into configuring CoPP to ensure that the CPU does not become overwhelmed. 


The platform is a C6807 with dual Superviser T2 module and some line cards.

 

I've read the documentation on CoPP at https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-5SY/config_guide/sup2T/15_5_sy_swcg_2T/control_plane_policing_copp.html#49119 

However I could use some input on how to configure CoPP for ARP.

Any help is appreciated.


I can see by default there is a class-map match-all class-copp-arp-snooping however no policy map is configured for it. Can I apply this only for a specific interface? Or will it invoke on the whole platform?

/K.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kapslock
Level 1
Level 1

‎11-02-2020 01:09 AM

Unfortunately ARP inspection will shut the interface it the limit exceeds, therefor dropping all other traffic. I forgot to mention that this issue is only regarding wireless clients, and the wireless design is using CAPWAP, therefor we cannot inspect packets using ARP inspection or storm control at the port where the AP is connected. I am looking in using CoPP and found this best practice on CoPP which can map arp packets at control plane, and drop only arp packets if it exceeds defined level.

 

https://tools.cisco.com/security/center/resources/copp_best_practices#8 

 

The hard part is defining a baseline level, and a burst level now. 

 

For other interested, you can configure it like this:

 

!
class-map arp-police
 match protocol arp
!
!
policy-map arp-police
  police rate <limit rate pps> pps burst <burst in pps> packets confirm-action transmit exceed-action drop
!
!
interface xyz
 service-policy <define direction, input/output> arp-police
!

 

/K.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎10-27-2020 11:01 AM

Hi,

Not sure if you have seen this document but there is a section here regarding rate limiting the ARP inspection.

0 Helpful

Go to solution
kapslock
Level 1
Level 1

‎11-02-2020 01:09 AM

Unfortunately ARP inspection will shut the interface it the limit exceeds, therefor dropping all other traffic. I forgot to mention that this issue is only regarding wireless clients, and the wireless design is using CAPWAP, therefor we cannot inspect packets using ARP inspection or storm control at the port where the AP is connected. I am looking in using CoPP and found this best practice on CoPP which can map arp packets at control plane, and drop only arp packets if it exceeds defined level.

 

https://tools.cisco.com/security/center/resources/copp_best_practices#8 

 

The hard part is defining a baseline level, and a burst level now. 

 

For other interested, you can configure it like this:

 

!
class-map arp-police
 match protocol arp
!
!
policy-map arp-police
  police rate <limit rate pps> pps burst <burst in pps> packets confirm-action transmit exceed-action drop
!
!
interface xyz
 service-policy <define direction, input/output> arp-police
!

 

/K.
0 Helpful
Customers Also Viewed These Support Documents