Control Plane Policing

 

 

 IP traffic from plane perspective can be divided into four logical groups:

  • DATA PLANE packets -end-station to end-station. These packets are always forwarded by routers to end-station.These packes  can be handled by normal forwarding process.
  • CONTROL PLANE packets - packets generated or received by network devices that are used for the creation and operation of the network itself.These packets are handled by the CPU.Examples packets can be ARP,BGP,OSPF,EIGRP,etc.
  • MANAGEMENT PLANE packets - packets generated or received for management purposes,e.g. TFTP,SNMP,FTP,NTP,SSH,etc. These packets are handled by the CPU.
  • SERVICE PLANE packets - special case of data plane packets which require special handling,e.g. GRE, QOS, MPLS,, VPN,etc.

 

From the local perspective of the network device, three general types of packets exist:

  • Transit packets – These include data plane and some services plane packets that are subjected to standard, destination IP-based forwarding functions. In most networks and under normal operating conditions, transit packets are typically forwarded by Cisco Express Forwarding mechanisms, either in the interrupt process within CPU-based (software switched) platforms, or within specialized high-speed forwarding hardware (ASICs, FPGAs, or NPs) on high-end platforms. “Fast path” is most often used to describe this type of packet handling.
  • Receive packets – These include control plane and management plane packets that are destined to the network device itself. Receive packets must be handled by the CPU within the route processor, as they are ultimately destined to and handled by applications running at the process level within IOS or IOS XR. “Punt” is often used to describe the action of moving a packet from the fast path to the route processor for handling.
  • Exception IP and Non-IP packets – One special set of packets includes both exception IP packets and non-IP packets. Exception IP packets include, for example, IPv4 packets containing IP header options, IP packet TTL expires, and IP packets with unreachable destinations. Layer 2 keepalives, ISIS packets, Cisco Discovery Protocol (CDP) packets, and PPP Link Control Protocol (LCP) packets are examples of non-IP packets. All of the packets in this set must be handled by the route processor. 

 

 

 Configuration

  • Definy ACL to identify traffic
Please avoid to use named ACL because some of IOS does not accept it.Do not use any log statement.
 

(config)#object-group network Router_int

(config-network-group)#description "For CoPP"

(config-network-group)#host 91.223.184.151

(config-network-group)#host 87.204.202.2

(config-network-group)#host 172.16.0.1

(config-network-group)#host  192.168.1.1

(config-network-group)#exit

Object group for better ACL management

 CONTROL PLANE

(config)#access-list 140 remark Control_plane_traffic

(config)#access-list 140 permit ospf any object-group Router_int

(config)#access-list 140 permit ospf any host 224.0.0.5

(config)#access-list 140 permit ospf any host 224.0.0.6

ACL for routting(in my case OSPF)
 
MANAGEMENT PLANE

 (config)#access-list 141 remark Management_plane_traffic

(config)#access-list 141 permit tcp any object-group Router_int eq 22

 (config)#access-list 141 permit tcp any object-group Router_int eq 23

(config)#access-list 141 permit tcp any object-group Router_int eq 80

(config)#access-list 141 permit tcp any object-group Router_int eq 443

(config)#access-list 141 permit udp any object-group Router_int eq tftp

 ACL for mgmt traffic.

 SERVICE PLANE

(config)#access-list 142 remark Normal_needed_traffic

(config)#access-list 142 permit icmp any object-group Router_int

(config)#access-list 142 permit gre any object-group Router_int

(config)#access-list 142 permit pim any object-group Router_int

(config)#access-list 142 permit igmp any object-group Router_int

ACL for all needed traffic what should be handled by policy like vpn,mpls,multicast,etc.

 

 

(config)#access-list 143 permit icmp any object-group Router_int fragments

(config)#access-list 143 permit udp any object-group Router_int fragments

(config)#access-list 143 permit tcp any object-group Router_int fragments

(config)#access-list 143 permit tcp any object-group Router_int rst

(config)#access-list 143 permit udp any object-group Router_int eq ntp

ACL for undesirable traffic

 

(config)#access-list 144 permit tcp any any

(config)#access-list 144 permit udp any any

(config)#access-list 144 permit icmp any any

(config)#access-list 144 permit ip any any

ACL for the rest of traffic. We create on purpose to avoid to put traffic do class-default class.

 

 CLASS-MAPS

 

(config)#class-map CoPP_Control

(config-cmap)#match access-group 140

(config-cmap)#exit

Class-map for control plane traffic.

 

(config)#class-map CoPP_Management

(config-cmap)#match access-group 141

(config-cmap)#exit

Class-map for management plane traffic

 

(config)#class-map CoPP_Service

(config-cmap)#match access-group 142

(config-cmap)#exit

Class-map for service plane traffic

 

(config)#class-map CoPP_Undesirable

(config-cmap)#match access-group 143

(config-cmap)#exit

Class-map for undesirable traffic


(config)#class-map CoPP_All

(config-cmap)#match access-group 144

(config-cmap)#exit

Class-map for the rest traffic

Besides ACL you can use different match criteria like IP tos , Arp,etc

 

POLICY-MAP

Order in policy-map is important!!! Class-map with higher place in policy are checked first.

 

(config)#policy-map CoPP

(config-pmap)#description "Inboud CoPP only"

(config-pmap)#class CoPP_Undesirable

(config-pmap-c)#drop

(config-pmap-c)#exit

(config-pmap)#class CoPP_Control

(config-pmap-c)#police 20000 2000 2000 conform-action transmit exceed-action transmit violate-action drop

(config-pmap-c-police)#exit

(config-pmap-c)#exit

 

(config-pmap)#class CoPP_Management

(config-pmap-c)#police 400000 20000 20000 conform-action transmit exceed-action transmit violate-action drop

(config-pmap-c-police)#exit

(config-pmap-c)#exit

 

(config-pmap)#class CoPP_Service

(config-pmap-c)#police 20000 2000 2000 conform-action transmit exceed-action transmit violate-action drop

(config-pmap-c-police)#exit

(config-pmap-c)#exit


(config-pmap)#class CoPP_All

(config-pmap-c)#police 50000 5000 5000 conform-action transmit exceed-action drop

(config-pmap-c-police)#exit

(config-pmap-c)#exit

 

 (config-pmap)#class class-default

 (config-pmap-c)#police 8000 1000 1000 conform-action transmit exceed-action transmit

(config-pmap-c-police)#exit

(config-pmap-c)#exit

 

 

  •  Deploy CoPP policy

(config)#control-plane

(config-cp)#service-policy input CoPP

(config-cp)#exit

 

Our policy is prepared only for inbound traffic however with some ACL modifications you can use the same policy for output and input traffic.


  • Save configuration

#wr

 

 

TESTS

  • Check configuration 
 

#show policy-map CoPP
Policy Map CoPP
       Description: "Inboud CoPP only"
Class CoPP_Undesirabled
    drop
Class CoPP_Control
  police cir 20000 bc 2000 be 2000
         conform-action transmit
         exceed-action transmit
         violate-action drop
Class CoPP_Management
   police cir 100000 bc 10000 be 10000
          conform-action transmit
          exceed-action transmit
          violate-action drop
Class CoPP_Service
   police cir 20000 bc 2000 be 2000
          conform-action transmit
          exceed-action transmit
          violate-action drop
Class CoPP_All
   police cir 50000 bc 5000 be 5000
           conform-action transmit
           exceed-action drop
           violate-action drop
Class class-default
   police cir 8000 bc 1000 be 1000
           conform-action transmit
           exceed-action transmit
           violate-action transmit

 

  •  check policy-map usage
CoPP-1.PNG

 CoPP-2.PNG 

  •  Check class-map usage in policy-map,e.g. class-map CoPP_Management

 

 CoPP-3.PNG

 

  • Save configuration and tune it(the more granular,the better.
  • Create outbound policy-map if needed

 

dzbanek 2013-03-25

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.