Control Plane Policing
Control plane policing (CoPP) can be used to identify the type and rate of traffic that reaches the control plane of the Cisco IOS device. Control plane policing can be performed through the use of granular classification ACLs, logging, and the use of the show policy-map control-plane command.
CoPP is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance. Route processor resource exhaustion, in this case, refers to all resources associated with the punt path and route processors such as Cisco IOS process memory and buffers and ingress packet queues.
As just discussed, more than just control plane packets can punt and affect the route processor and system resources. Management plane traffic, as well as certain data plane exceptions IP packets and some services plane packets, may also require the use of route processor resources. Even so, it is common practice to identify the resources associated with the punt path and route processors as the control plane.
In Example 13-2, only Telnet and DNS traffic from trusted hosts (that is, devices in the 192.168.1.0/24 subnet) is permitted to reach the Cisco IOS device CPU. In addition, certain types of ICMP traffic destined to the network infrastructure (that is, devices with IP addresses in the 10.1.1.0/24 subnet) will be rate-limited to 5000 packets per second (pps).
Note
When constructing Access Control Lists (ACL) to be used for CoPP, traffic that is “permitted” translates to traffic that will be inspected by CoPP, and traffic that is “denied” translates to traffic that CoPP bypasses. Please refer to this white paper on CoPP: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html. Specifically, see the following excerpt from the section, “Access List Construction”:
“There are several caveats and key points to keep in mind when constructing your access lists.
The log or log-input keywords must never be used in access-lists that are used within MQC policies for CoPP. The use of these keywords may cause unexpected result in the functionality of CoPP.
The use of the deny rule in access lists used in MQC is somewhat different to regular interface ACLs. Packets that match a deny rule are excluded from that class and cascade to the next class (if one exists) for classification. This is in contrast to packets matching a permit rule, which are then included in that class and no further comparisons are performed.”
Example 13-2 Control Plane Policing Configuration
!
!
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo-reply
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 time-exceeded
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 ttl-exceeded
access-list 123 deny tcp 192.168.1.0 0.0.0.255 any eq telnet
access-list 123 deny udp 192.168.1.0 0.0.0.255 any eq domain
access-list 123 permit tcp any any eq telnet
access-list 123 permit udp any any eq domain
access-list 123 deny ip any any
!!
!
class-map match-all ICMP
match access-group 101
class-map match-all UNDESIRABLE-TRAFFIC
match access-group 123
!
policy-map COPP-INPUT-POLICY
class UNDESIRABLE-TRAFFIC
drop
class ICMP
police 50000 5000 5000 conform-action transmit exceed-action drop
!
control-plane
service-policy input COPP-INPUT-POLICY
!
To display the CoPP currently configured on the device, issue the show policy-map control-plane command, as demonstrated in Example 13-3.
Example 13-3 Verifying the Control Plane Policing Configuration
CCNA-Router-1# show policy-map control-plane
Control Plane
Service-policy input: COPP-INPUT-POLICY
Class-map: UNDESIRABLE-TRAFFIC (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group 123
drop
Class-map: ICMP (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group 101
police:
cir 50000 bps, bc 5000 bytes, be 5000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: class-default (match-any)
3 packets, 551 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
CCNA-Router-1#
