{"id":54,"date":"2014-05-31T21:42:44","date_gmt":"2014-05-31T21:42:44","guid":{"rendered":"http:\/\/feralpacket.org\/?p=54"},"modified":"2015-01-03T11:21:31","modified_gmt":"2015-01-03T11:21:31","slug":"v5-written-and-lab-control-plane-policing-notes","status":"publish","type":"post","link":"https:\/\/feralpacket.org\/?p=54","title":{"rendered":"v5 Written and Lab: Control Plane Policing Notes"},"content":{"rendered":"

v5 Written: 5.1.c Implement and troubleshoot control plane policing
\nv5 Lab: 4.1.c Implement and troubleshoot control plane policing<\/code><\/p>\n

Documents:<\/p>\n

QoS Policing and Shaping Configuration Guide, Cisco IOS 15 M&T; Chapter 11: Control Plane Policing<\/p>\n

QoS Policing and Shaping Configuration Guide, Cisco IOS 15 M&T; Chapter 12: Control Plane Protection<\/p>\n

QoS Policing and Shaping Configuration Guide, Cisco IOS 15 M&T; Chapter 13: Control Plane Logging<\/p>\n

http:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/qos_plcshp\/configuration\/15-mt\/qos-plcshp-15-mt-book.html<\/p>\n

Control Plane Policing
\nhttp:\/\/www.cisco.com\/en\/US\/docs\/ios-xml\/ios\/qos_plcshp\/configuration\/15-1mt\/qos-plcshp-ctrl-pln-plc.html<\/p>\n

Deploying Control Plane Policing
\nhttp:\/\/www.cisco.com\/c\/en\/us\/products\/collateral\/security\/ios-network-foundation-protection-nfp\/prod_white_paper0900aecd804fa16a.html<\/p>\n

Control Plane Policing Implementation Best Practices
\nhttp:\/\/www.cisco.com\/web\/about\/security\/intelligence\/coppwp_gs.html<\/p>\n

The only thing I could find on troubleshooting Control Plane Policing was to enable logging. So:<\/p>\n

Control Plane Logging
\nhttp:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios\/porting\/sec_control_plane\/configuration\/guide\/15_0\/cps_15_0_book\/ctrl_plane_logging.pdf<\/p>\n

The INE labs include both Control Plane Policing and Control Plane Protection. So:<\/p>\n

“The Control Plane Protection feature is an extension of the policing functionality provided by the
\nexisting Control-Plane Policing feature. The Control-Plane Policing feature allows Quality of Service
\n(QoS) policing of aggregate control-plane traffic destined to the route processor. The Control Plane
\nProtection feature extends this policing functionality by allowing finer policing granularity.”<\/p>\n

Control Plane Protection
\nhttp:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios\/porting\/sec_control_plane\/configuration\/guide\/15_0\/cps_15_0_book\/ctrl_plane_prot.pdf<\/p>\n

Books:<\/p>\n

Router Security Strategies: Securing IP Network Traffic Planes; Chp 5: IP Control Plane Security, Control Plane Policing<\/p>\n

CCIE Routing and Switching Exam Certification Guide 4th Ed; Chp 18 Security, Control Plane Policing, pgs. 804 – 808<\/p>\n

Router-Bits Handbook; COPP (Control Plane Policing) pgs. 268 – 269<\/p>\n

INE:<\/p>\n

INE Security Lab Workbook Vol I v3.5
\n– Control \/ Management Plane Security
\n– Sections 6.1 – 6.16, pgs. 55 – 60
\n– Control \/ Management Plane Security Solutions
\n– Sections 6.1 – 6.16, pgs. 950 – 1010<\/p>\n

INE R&S Workbook Vol I
\n– Section 11 Security, 11.64 Control Plane Policing, pg. 14
\n– Section 11 Security, 11.65 Control Plane Protection, pg. 15
\n– Section 11 Security Solutions, 11.64 Control Plane Policing, pgs. 148 – 152
\n– Section 11 Security Solutions, 11.65 Control Plane Protection, pgs. 153 – 164<\/p>\n

INE R&S Workbook II
\n– Lab 1, 6.4, pg. 12
\n– Lab 5, 6.5, pg. 66
\n– Lab 7, 6.3, pg. 98
\n– Lab 9, 6.4, pg. 129
\n– Lab 15, 6.4, pg. 221<\/p>\n

Exception IP and non-IP packets (punts):
\n– IP header options (IPv4) (Unicast or multicast)
\n– IP packet TTL expires
\n– IP packets with unreachable destinations
\n– Layer 2 keepalives
\n– ISIS packets
\n– CDP packets
\n– PPP Link Control Protocol (LCP) packets
\n– ARP packets
\n– Reverse ARP packets
\n– BPDU packets
\n– VTP packets
\n– UDLD packets
\n– PagP packets
\n– LACP packets
\n– Layer 2 Tunneling packets
\n– IGMP packets
\n– MTU failure
\n– VLAN ACL logging
\n– IP errors
\n– IP RPF failure
\n– Multicast RPF failure<\/p>\n

IP interface ACLs apply to:
\n– data plane traffic
\n– control plane traffic
\n– management plane traffic
\n– services plane traffic<\/p>\n

IP Receive ACL (rACL):
\n– only ingress packets with an IP next hop of receive
\n– have a CEF receive adjacency<\/p>\n

IP prefixes having a CEF receive adjacency:
\n– \/32 IP addresses assigned to the local router IP interfaces
\n– physical
\n– channel
\n– logical
\n– loopback
\n– VRF interfaces
\n– MPLS VPNs
\n– MPL with IPSec VPNS
\n– broadcast addresses
\n– network addresses
\n– reserved IP multicast addresses in the range between 224.0.0.0 and 225.0.0.225<\/p>\n

sh ip cef | in receive<\/p>\n

Slow path –> IOS process level switched<\/p>\n

ip receive access-list<\/p>\n

Example:
\naccess-list 100 deny ip any any fragments
\naccess-list 100 permit tcp any any eq 23 precedence internet
\naccess-list 100 permit ospf any any precedence internet
\naccess-list 100 permit icmp any any echo-reply
\naccess-list 100 deny ip any any<\/p>\n

ip receive access-list 100<\/p>\n

rACL Configuration Guidelines:
\n– Identify protocols and port numbers used
\n– Filter unnecessary protocols and port numbers
\n– IP fragments
\n– IP TOS
\n– ICMP
\n– Limited permitted IP Source Address
\n– BGP
\n– IGP protocols
\n– Management protocols
\n– Limited Permitted IP Destination Addresses<\/p>\n

Router sourced traffic:
\n– IP precedence value 6 (Internet control) (RFC 795)
\n– BGP
\n– OSPF
\n– RIP
\n– ICMP
\n– DVMRP
\n– PIM
\n– IGMP
\n– HSRP
\n– MPLS LDP
\n– RSVP
\n– SSH
\n– Telnet
\n– IP precedence value 0 (Routine)
\n– RADIUS
\n– TACACS+
\n– SNMP
\n– syslog<\/p>\n

MQC – The Modular Quality of Service (QoS) Command-Line Interface (CLI)
\n– used to configure the packet classification on policing functions of CoPP
\n– the only MQC actions supported in policy maps is police and drop
\n– features that require NBAR (Network-Based Application Recognition) may not work well at the control plane level<\/p>\n

Classification (match) criteria supported:
\n– standard and extended IP access-lists
\n– class-map configuration mode:
\n– match ip dscp
\n– match ip precedence
\n– match protocol arp
\n– match protocol pppoe<\/p>\n

Silent mode operation:
\n– service-policy output – system error messages are not sent when a packet is discarded<\/p>\n

CoPP steps:
\n– constructing the CoPP policy
\n– deploying the CoPP policy
\n– verifying the CoPP policy
\n– tuning the CoPP policy<\/p>\n

Parts:
\n– access list
\n– class map
\n– policy map
\n– control plane service policy<\/p>\n

Example:
\naccess-list 141 deny icmp 10.0.0.0 0.0.0.255 any port-unreachable
\naccess-list 141 permit icmp any any port-unreachable<\/p>\n

class-map icmp-class
\nmatch access-group 141<\/p>\n

policy-map control-plane-out
\nclass icmp-class
\ndrop<\/p>\n

control-plane
\nservice-policy output control-plane-out<\/p>\n

class-map:
\n– packets that fail to meet any of the matching criteria are classified as members of the default class
\n– match-any
\n– match-all
\n– the default class is always applied, whether it’s configured or not<\/p>\n

policy-map:
\n– used to a traffic class with one or more QoS polices
\n– association called a service-policy
\n– classes are processed from top down
\n– when a packet matches a class, no further processing is done
\n– a packet can only belong to one class<\/p>\n

Example:<\/p>\n

ip access-list extended copp-system-acl-bgp
\npermit tcp any gt 1024 any eq bgp
\npermit tcp any eq bgp any gt 1024
\nip access-list extended copp-system-acl-dhcp
\npermit udp any eq bootpc any
\npermit udp any eq bootps any
\npermit udp any any eq bootpc
\npermit udp any any eq bootps
\nip access-list extended copp-system-acl-eigrp
\npermit eigrp any any
\nip access-list extended copp-system-acl-ftp
\npermit tcp any any eq ftp-data
\npermit tcp any any eq ftp
\npermit tcp any eq ftp-data any
\npermit tcp any eq ftp any
\nip access-list extended copp-system-acl-glbp
\npermit udp any eq 3222 224.0.0.0 0.0.0.255 eq 3222
\nip access-list extended copp-system-acl-hsrp
\npermit udp any 224.0.0.0 0.0.0.255 eq 1985
\nip access-list extended copp-system-acl-icmp
\npermit icmp any any echo
\npermit icmp any any echo-reply
\nip access-list extended copp-system-acl-igmp
\npermit igmp any 224.0.0.0 224.255.255.255
\nip access-list extended copp-system-acl-msdp
\npermit tcp any gt 1024 any eq 639
\npermit tcp any eq 639 any gt 1024
\nip access-list extended copp-system-acl-ntp
\npermit udp any any eq ntp
\npermit udp any eq ntp any
\nip access-list extended copp-system-acl-ospf
\npermit ospf any any
\nip access-list extended copp-system-acl-pim
\npermit pim any 224.0.0.0 0.0.0.255
\npermit udp any any eq pim-auto-rp
\npermit ahp any 224.0.0.13 0.0.0.0
\nip access-list extended copp-system-acl-pim-reg
\npermit pim any any
\nip access-list extended copp-system-acl-radus
\npermit udp any any eq 1812
\npermit udp any any eq 1813
\npermit udp any any eq 1645
\npermit udp any any eq 1646
\npermit udp any eq 1812 any
\npermit udp any eq 1813 any
\npermit udp any eq 1645 any
\npermit udp any eq 1646 any
\nip access-list extended copp-system-acl-rip
\npermit udp any 244.0.0.0 0.0.0.255 eq rip
\nip access-list extended copp-system-acl-sftp
\npermit tcp any any eq 115
\npermit tcp any eq 115 any
\nip access-list extended copp-system-acl-snmp
\npermit udp any any eq snmp
\npermit udp any any eq snmptrap
\nip access-list extended copp-system-acl-ssh
\npermit tcp any any eq 22
\npermit tcp any eq 22 any
\nip access-list extended copp-system-acl-tacacs
\npermit tcp any any eq tacacs
\npermit tcp any eq tacacs any
\nip access-list extended copp-system-acl-tftp
\npermit udp any any eq tftp
\npermit udp any any eq 1758
\npermit udp any eq tftp any
\npermit udp any eq 1758 any
\nip access-list extended copp-system-acl-traceroute
\npermit icmp any any ttl-exceeded
\npermit icmp any any port-unreachable
\npermit icmp any any
\nip access-list extended copp-system-acl-vrrp
\npermit 112 any 224.0.0.0 0.0.0.255
\nip access-list extended copp-system-acl-wccp
\npermit udp any eq 2048 any eq 2048
\nip access-list extended copp-system-acl-exception
\npermit ip any any option any-options
\npermit icmp any any unreachable<\/p>\n

!
\nclass-map match-any copp-system-class-critical
\nmatch access-group name copp-system-acl-bgp
\nmatch access-group name copp-system-acl-eigrp
\nmatch access-group name copp-system-acl-igmp
\nmatch access-group name copp-system-acl-msdp
\nmatch access-group name copp-system-acl-ospf
\nmatch access-group name copp-system-acl-pim
\nmatch access-group name copp-system-acl-rip
\nclass-map match-any copp-system-class-exception
\nmatch access-group name copp-system-acl-exception
\nclass-map match-any copp-system-class-important
\nmatch access-group name copp-system-acl-glbp
\nmatch access-group name copp-system-acl-hsrp
\nmatch access-group name copp-system-acl-vrrp
\nmatch access-group name copp-system-acl-wccp
\nmatch access-group name copp-system-acl-pim-reg
\nclass-map match-any copp-system-class-management
\nmatch access-group name copp-system-acl-ftp
\nmatch access-group name copp-system-acl-ntp
\nmatch access-group name copp-system-acl-radius
\nmatch access-group name copp-system-acl-sftp
\nmatch access-group name copp-system-acl-snmp
\nmatch access-group name copp-system-acl-ssh
\nmatch access-group name copp-system-acl-tacacs
\nmatch access-group name copp-system-acl-tftp
\nclass-map match-any copp-system-class-monitoring
\nmatch access-group name copp-system-acl-icmp
\nmatch access-group name copp-system-acl-traceroute
\nclass-map match-any copp-system-class-normal
\nmatch access-group name copp-system-acl-dhcp
\nmatch protocol arp
\n!
\npolicy-map copp-system-policy
\nclass copp-system-class-critical
\npolice cir 39600000 bc 250000 conform-action transmit exceed-action drop
\nclass copp-system-class-important
\npolice cir 1060000 bc 1000000 conform-action transmit exceed-action drop
\nclass copp-system-class-management
\npolice cir 10000000 bc 250000 conform-action transmit exceed-action drop
\nclass copp-system-class-normal
\npolice cir 680000 bc 250000 conform-action transmit exceed-action drop
\nclass copp-system-class-monitoring
\npolice cir 130000 bc 100000 conform-action transmit exceed-action drop
\nclass copp-system-class-exception
\npolice cir 360000 bc 250000 conform-action transmit exceed-action drop
\nclass class-default
\npolice cir 100000 bc 25000 conform-action transmit exceed-action drop
\n!
\ncontrol-plane
\nservice-policy input copp-system-policy<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

v5 Written: 5.1.c Implement and troubleshoot control plane policing v5 Lab: 4.1.c Implement and troubleshoot control plane policing Documents: QoS Policing and Shaping Configuration Guide, Cisco IOS 15 M&T; Chapter 11: Control Plane Policing QoS Policing and Shaping Configuration Guide, Cisco IOS 15 M&T; Chapter 12: Control Plane Protection QoS Policing and Shaping Configuration Guide, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[30,22,11],"class_list":["post-54","post","type-post","status-publish","format-standard","hentry","category-ccie","tag-ccie","tag-control-plane-policing","tag-route-switch"],"_links":{"self":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/54","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=54"}],"version-history":[{"count":5,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/54\/revisions"}],"predecessor-version":[{"id":234,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/54\/revisions\/234"}],"wp:attachment":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=54"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=54"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=54"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}