Aut inveniam viam aut faciam

v5 Written and Lab: Control Plane Policing Notes

v5 Written: 5.1.c Implement and troubleshoot control plane policing
v5 Lab: 4.1.c Implement and troubleshoot control plane policing

Documents:

QoS Policing and Shaping Configuration Guide, Cisco IOS 15 M&T; Chapter 11: Control Plane Policing

QoS Policing and Shaping Configuration Guide, Cisco IOS 15 M&T; Chapter 12: Control Plane Protection

QoS Policing and Shaping Configuration Guide, Cisco IOS 15 M&T; Chapter 13: Control Plane Logging

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_plcshp/configuration/15-mt/qos-plcshp-15-mt-book.html

Control Plane Policing
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_plcshp/configuration/15-1mt/qos-plcshp-ctrl-pln-plc.html

Deploying Control Plane Policing
http://www.cisco.com/c/en/us/products/collateral/security/ios-network-foundation-protection-nfp/prod_white_paper0900aecd804fa16a.html

Control Plane Policing Implementation Best Practices
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

The only thing I could find on troubleshooting Control Plane Policing was to enable logging. So:

Control Plane Logging
http://www.cisco.com/c/en/us/td/docs/ios/porting/sec_control_plane/configuration/guide/15_0/cps_15_0_book/ctrl_plane_logging.pdf

The INE labs include both Control Plane Policing and Control Plane Protection. So:

“The Control Plane Protection feature is an extension of the policing functionality provided by the
existing Control-Plane Policing feature. The Control-Plane Policing feature allows Quality of Service
(QoS) policing of aggregate control-plane traffic destined to the route processor. The Control Plane
Protection feature extends this policing functionality by allowing finer policing granularity.”

Control Plane Protection
http://www.cisco.com/c/en/us/td/docs/ios/porting/sec_control_plane/configuration/guide/15_0/cps_15_0_book/ctrl_plane_prot.pdf

Books:

Router Security Strategies: Securing IP Network Traffic Planes; Chp 5: IP Control Plane Security, Control Plane Policing

CCIE Routing and Switching Exam Certification Guide 4th Ed; Chp 18 Security, Control Plane Policing, pgs. 804 – 808

Router-Bits Handbook; COPP (Control Plane Policing) pgs. 268 – 269

INE:

INE Security Lab Workbook Vol I v3.5
– Control / Management Plane Security
– Sections 6.1 – 6.16, pgs. 55 – 60
– Control / Management Plane Security Solutions
– Sections 6.1 – 6.16, pgs. 950 – 1010

INE R&S Workbook Vol I
– Section 11 Security, 11.64 Control Plane Policing, pg. 14
– Section 11 Security, 11.65 Control Plane Protection, pg. 15
– Section 11 Security Solutions, 11.64 Control Plane Policing, pgs. 148 – 152
– Section 11 Security Solutions, 11.65 Control Plane Protection, pgs. 153 – 164

INE R&S Workbook II
– Lab 1, 6.4, pg. 12
– Lab 5, 6.5, pg. 66
– Lab 7, 6.3, pg. 98
– Lab 9, 6.4, pg. 129
– Lab 15, 6.4, pg. 221

Exception IP and non-IP packets (punts):
– IP header options (IPv4) (Unicast or multicast)
– IP packet TTL expires
– IP packets with unreachable destinations
– Layer 2 keepalives
– ISIS packets
– CDP packets
– PPP Link Control Protocol (LCP) packets
– ARP packets
– Reverse ARP packets
– BPDU packets
– VTP packets
– UDLD packets
– PagP packets
– LACP packets
– Layer 2 Tunneling packets
– IGMP packets
– MTU failure
– VLAN ACL logging
– IP errors
– IP RPF failure
– Multicast RPF failure

IP interface ACLs apply to:
– data plane traffic
– control plane traffic
– management plane traffic
– services plane traffic

IP Receive ACL (rACL):
– only ingress packets with an IP next hop of receive
– have a CEF receive adjacency

IP prefixes having a CEF receive adjacency:
– /32 IP addresses assigned to the local router IP interfaces
– physical
– channel
– logical
– loopback
– VRF interfaces
– MPLS VPNs
– MPL with IPSec VPNS
– broadcast addresses
– network addresses
– reserved IP multicast addresses in the range between 224.0.0.0 and 225.0.0.225

sh ip cef | in receive

Slow path –> IOS process level switched

ip receive access-list

Example:
access-list 100 deny ip any any fragments
access-list 100 permit tcp any any eq 23 precedence internet
access-list 100 permit ospf any any precedence internet
access-list 100 permit icmp any any echo-reply
access-list 100 deny ip any any

ip receive access-list 100

rACL Configuration Guidelines:
– Identify protocols and port numbers used
– Filter unnecessary protocols and port numbers
– IP fragments
– IP TOS
– ICMP
– Limited permitted IP Source Address
– BGP
– IGP protocols
– Management protocols
– Limited Permitted IP Destination Addresses

Router sourced traffic:
– IP precedence value 6 (Internet control) (RFC 795)
– BGP
– OSPF
– RIP
– ICMP
– DVMRP
– PIM
– IGMP
– HSRP
– MPLS LDP
– RSVP
– SSH
– Telnet
– IP precedence value 0 (Routine)
– RADIUS
– TACACS+
– SNMP
– syslog

MQC – The Modular Quality of Service (QoS) Command-Line Interface (CLI)
– used to configure the packet classification on policing functions of CoPP
– the only MQC actions supported in policy maps is police and drop
– features that require NBAR (Network-Based Application Recognition) may not work well at the control plane level

Classification (match) criteria supported:
– standard and extended IP access-lists
– class-map configuration mode:
– match ip dscp
– match ip precedence
– match protocol arp
– match protocol pppoe

Silent mode operation:
– service-policy output – system error messages are not sent when a packet is discarded

CoPP steps:
– constructing the CoPP policy
– deploying the CoPP policy
– verifying the CoPP policy
– tuning the CoPP policy

Parts:
– access list
– class map
– policy map
– control plane service policy

Example:
access-list 141 deny icmp 10.0.0.0 0.0.0.255 any port-unreachable
access-list 141 permit icmp any any port-unreachable

class-map icmp-class
match access-group 141

policy-map control-plane-out
class icmp-class
drop

control-plane
service-policy output control-plane-out

class-map:
– packets that fail to meet any of the matching criteria are classified as members of the default class
– match-any
– match-all
– the default class is always applied, whether it’s configured or not

policy-map:
– used to a traffic class with one or more QoS polices
– association called a service-policy
– classes are processed from top down
– when a packet matches a class, no further processing is done
– a packet can only belong to one class

Example:

ip access-list extended copp-system-acl-bgp
permit tcp any gt 1024 any eq bgp
permit tcp any eq bgp any gt 1024
ip access-list extended copp-system-acl-dhcp
permit udp any eq bootpc any
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended copp-system-acl-eigrp
permit eigrp any any
ip access-list extended copp-system-acl-ftp
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any eq ftp-data any
permit tcp any eq ftp any
ip access-list extended copp-system-acl-glbp
permit udp any eq 3222 224.0.0.0 0.0.0.255 eq 3222
ip access-list extended copp-system-acl-hsrp
permit udp any 224.0.0.0 0.0.0.255 eq 1985
ip access-list extended copp-system-acl-icmp
permit icmp any any echo
permit icmp any any echo-reply
ip access-list extended copp-system-acl-igmp
permit igmp any 224.0.0.0 224.255.255.255
ip access-list extended copp-system-acl-msdp
permit tcp any gt 1024 any eq 639
permit tcp any eq 639 any gt 1024
ip access-list extended copp-system-acl-ntp
permit udp any any eq ntp
permit udp any eq ntp any
ip access-list extended copp-system-acl-ospf
permit ospf any any
ip access-list extended copp-system-acl-pim
permit pim any 224.0.0.0 0.0.0.255
permit udp any any eq pim-auto-rp
permit ahp any 224.0.0.13 0.0.0.0
ip access-list extended copp-system-acl-pim-reg
permit pim any any
ip access-list extended copp-system-acl-radus
permit udp any any eq 1812
permit udp any any eq 1813
permit udp any any eq 1645
permit udp any any eq 1646
permit udp any eq 1812 any
permit udp any eq 1813 any
permit udp any eq 1645 any
permit udp any eq 1646 any
ip access-list extended copp-system-acl-rip
permit udp any 244.0.0.0 0.0.0.255 eq rip
ip access-list extended copp-system-acl-sftp
permit tcp any any eq 115
permit tcp any eq 115 any
ip access-list extended copp-system-acl-snmp
permit udp any any eq snmp
permit udp any any eq snmptrap
ip access-list extended copp-system-acl-ssh
permit tcp any any eq 22
permit tcp any eq 22 any
ip access-list extended copp-system-acl-tacacs
permit tcp any any eq tacacs
permit tcp any eq tacacs any
ip access-list extended copp-system-acl-tftp
permit udp any any eq tftp
permit udp any any eq 1758
permit udp any eq tftp any
permit udp any eq 1758 any
ip access-list extended copp-system-acl-traceroute
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any
ip access-list extended copp-system-acl-vrrp
permit 112 any 224.0.0.0 0.0.0.255
ip access-list extended copp-system-acl-wccp
permit udp any eq 2048 any eq 2048
ip access-list extended copp-system-acl-exception
permit ip any any option any-options
permit icmp any any unreachable

!
class-map match-any copp-system-class-critical
match access-group name copp-system-acl-bgp
match access-group name copp-system-acl-eigrp
match access-group name copp-system-acl-igmp
match access-group name copp-system-acl-msdp
match access-group name copp-system-acl-ospf
match access-group name copp-system-acl-pim
match access-group name copp-system-acl-rip
class-map match-any copp-system-class-exception
match access-group name copp-system-acl-exception
class-map match-any copp-system-class-important
match access-group name copp-system-acl-glbp
match access-group name copp-system-acl-hsrp
match access-group name copp-system-acl-vrrp
match access-group name copp-system-acl-wccp
match access-group name copp-system-acl-pim-reg
class-map match-any copp-system-class-management
match access-group name copp-system-acl-ftp
match access-group name copp-system-acl-ntp
match access-group name copp-system-acl-radius
match access-group name copp-system-acl-sftp
match access-group name copp-system-acl-snmp
match access-group name copp-system-acl-ssh
match access-group name copp-system-acl-tacacs
match access-group name copp-system-acl-tftp
class-map match-any copp-system-class-monitoring
match access-group name copp-system-acl-icmp
match access-group name copp-system-acl-traceroute
class-map match-any copp-system-class-normal
match access-group name copp-system-acl-dhcp
match protocol arp
!
policy-map copp-system-policy
class copp-system-class-critical
police cir 39600000 bc 250000 conform-action transmit exceed-action drop
class copp-system-class-important
police cir 1060000 bc 1000000 conform-action transmit exceed-action drop
class copp-system-class-management
police cir 10000000 bc 250000 conform-action transmit exceed-action drop
class copp-system-class-normal
police cir 680000 bc 250000 conform-action transmit exceed-action drop
class copp-system-class-monitoring
police cir 130000 bc 100000 conform-action transmit exceed-action drop
class copp-system-class-exception
police cir 360000 bc 250000 conform-action transmit exceed-action drop
class class-default
police cir 100000 bc 25000 conform-action transmit exceed-action drop
!
control-plane
service-policy input copp-system-policy

 

Comments are closed.

This entry was posted on Saturday, May 31st, 2014 at 9:42 pm and is filed under CCIE. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.