CoPP - Control Plane Policing
Control Plane Functions:
- Builds the routing and forwarding tables for the data planes
- Runs on the process level
- Shares the main CPU with the slow data path processes and management processes
- By default, it also shares the path (queue) to the main CPU
Threats:
- Slow path denial-of-service attacks
- Routing protocol spoofing
CoPP:
- Permits or denies access to the control plane
- Rate-limits access to the control plane
- Configured as a service policy on a virtual control plane interface
ACLs to identify the traffic flows seen by the control plane
ip access-listed extended ICMP-CoPP
permit icmp any any echo-reply
permit icmp any any echo
ip access-listed extended IPSec-CoPP
permit udp any eq isakmp any eq isakmp
permit esp any any
permit gre any any
ip access-listed extended Mgmt-CoPP
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq telnet
permit tcp any any eq 22
permit udp any any eq snmp
ip access-listed extended Routing-CoPP
permit tcp any eq bgp any established
permit eigrp any host 224.0.0.10
permit ospf any host 224.0.0.5
permit ospf any host 224.0.0.6Match the ACLs to class maps
class-map match-all ICMP-CoPP-MAP
match access-group name ICMP-CoPP
class-map match-all IPSec-CoPP-MAP
match access-group name IPSec-CoPP
class-map match-all Mgmt-CoPP-MAP
match access-group name Mgmt-CoPP
class-map match-all Routing-CoPP-MAP
match access-group name Routing-CoPPDefine a policy map to police traffic classes
policy-map CoPP-POLICY
class ICMP-CoPP-MAP
police 8000 confirm-action transmit exceed-action drop
class IPSec-CoPP-MAP
police 64000 confirm-action transmit exceed-action drop
class Mgmt-CoPP-MAP
police 64000 confirm-action transmit exceed-action drop
class Routing-CoPP-MAP
police 128000 confirm-action transmit exceed-action drop
class class-default
police 8000 confirm-action transmit exceed-action dropApply the policy map to the control plane as a service policy
control-plane
service-policy input CoPP-POLICYCoPP Verification
show policy-map control-plane
