Difference between revisions of "Netband Project - CoPP"

From Teknologisk videncenter
Jump to: navigation, search
(External Links)
 
(34 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<accesscontrol>NetBand</accesscontrol>
+
=CoPP=
 
This page is part of the [[Netband_Project|Netband Project]]
 
This page is part of the [[Netband_Project|Netband Project]]
 
==Control Plane Policing==
 
==Control Plane Policing==
Line 5: Line 5:
 
*CoPP can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
 
*CoPP can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
 
*Uses MQC (Modular QoS CLI)
 
*Uses MQC (Modular QoS CLI)
*Control Plane Policing Architecture
+
*In version 12.4(4)T additional features were introduced
 +
**Control plane protection
 +
**Port-filtering
 +
**Queue-thresholding
 +
 
 +
==Control Plane Protection==
 +
*Introduces subinterfaces to the control plane
 +
*Aggregrate Control Plane Policing
 +
**Control Plane cef-exception subinterface
 +
***receives all traffic that is either redirected as a result of a configured input feature in the CEF packet forwarding path for process switching or directly enqueued in the control plane input queue by the interface driver.
 +
***Eg. ARP, L2 Keepalives and all non-IP host traffic.
 +
**Control Plane host subinterface
 +
*** receives all control-plane IP traffic that is directly destined for one of the router interfaces.
 +
***All host traffic terminates on and is processed by the router.
 +
***Eg. SSH, SNMP, BGP, OSPF, Tunnel termination and EIGRP.
 +
**Control Plane transit subinterface
 +
***receives all control-plane IP traffic that is software switched by the route processor.
 +
 
 
[[Image:CoPP.JPG|Architechture]]
 
[[Image:CoPP.JPG|Architechture]]
*Prior to 12.4(4)T it was only possible to configure the aggregate interface
+
 
 +
==Port-filter policy==
 +
*Blocks traffic destined to closed or nonlistened TCP/UDP ports
 +
*Only works with the host subinterface.
 +
*Maintains a global database of all open TCP and UDP ports on the router, including ports created by applications.
 +
 
 +
==Queue Threshold Policy==
 +
*limits the number of unprocessed packets for a given higher level protocol allowed in the control-plane IP input queue.
  
 
==Configuration==
 
==Configuration==
<pre>Versions prior to 12.4(4)T
+
Control plane Policing
 +
<pre>Versions prior to 12.4(4)T or if you only want to configure the aggregate interface
  
 
ip access-list extended coppacl-igp
 
ip access-list extended coppacl-igp
Line 59: Line 84:
 
control-plane
 
control-plane
 
  service-policy input copp-policy
 
  service-policy input copp-policy
 +
</pre>
 +
Port-filter policy
 +
<pre>class-map type port-filter match-any portfilter-cmap
 +
match  closed-ports
 +
!
 +
policy-map type port-filter portfilter-pmap
 +
class portfilter-cmap
 +
  drop
 +
!
 +
control-plane host
 +
service-policy type port-filter input portfilter-pmap
 +
!
 +
</pre>
 +
Queue-threshold policy
 +
<pre>class-map type queue-threshold match-all queue-cmap
 +
match host-protocols
 +
!
 +
policy-map type queue-threshold queue-pmap
 +
class queue-cmap
 +
queue-limit 100
 +
!
 +
control-plane host
 +
service-policy type queue-threshold input queue-pmap
 +
</pre>
 +
 +
==Show output==
 +
<pre>B1rt1#sh control-plane host open-ports
 +
Active internet connections (servers and established)
 +
Prot        Local Address      Foreign Address                  Service    State
 +
tcp                *:22                  *:0              SSH-Server  LISTEN
 +
tcp                *:23                  *:0                  Telnet  LISTEN
 +
tcp                *:80                  *:0                HTTP CORE  LISTEN
 +
tcp                *:22      10.1.2.50:5954              SSH-Server ESTABLIS
 +
udp                *:67                  *:0            DHCPD Receive  LISTEN
 +
udp                *:68                  *:0            BootP client  LISTEN
 +
udp                *:123                  *:0                      NTP  LISTEN
 +
</pre>
 +
<pre>
 +
B1rt1#sh control-plane host counters
 +
Control plane host path counters :
 +
 +
Feature                  Packets Processed/Dropped/Errors
 +
 +
--------------------------------------------------------
 +
TCP/UDP Portfilter          3337/2028/0
 +
Protocol Queue Threshold      384/0/0
 +
 +
--------------------------------------------------------
 +
</pre>
 +
<pre>
 +
B1rt1#sh control-plane counters
 +
Feature Path            Packets processed/dropped/errors
 +
Aggregate                  392996/2628/0
 +
Host                        9373/2135/0
 +
Transit                    369604/0/0
 +
Cef-exception              11391/0/0
 
</pre>
 
</pre>
  
 
==External Links==
 
==External Links==
Prior to 12.4(4)T
+
[http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html CoPP]
 
<br>
 
<br>
[http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html CoPP]
+
[http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_prot_ps6441_TSD_Products_Configuration_Guide_Chapter.html CoP extended feature set]
 
<br>
 
<br>
 
[http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html CoPP best practice design guide]
 
[http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html CoPP best practice design guide]
<br>
+
[[Category:network]][[Category:CCNP]][[category:students]]
[http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_prot_ps6441_TSD_Products_Configuration_Guide_Chapter.html CoP]
 
<br>
 

Latest revision as of 06:32, 13 May 2009

CoPP

This page is part of the Netband Project

Control Plane Policing

  • The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks.
  • CoPP can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
  • Uses MQC (Modular QoS CLI)
  • In version 12.4(4)T additional features were introduced
    • Control plane protection
    • Port-filtering
    • Queue-thresholding

Control Plane Protection

  • Introduces subinterfaces to the control plane
  • Aggregrate Control Plane Policing
    • Control Plane cef-exception subinterface
      • receives all traffic that is either redirected as a result of a configured input feature in the CEF packet forwarding path for process switching or directly enqueued in the control plane input queue by the interface driver.
      • Eg. ARP, L2 Keepalives and all non-IP host traffic.
    • Control Plane host subinterface
      • receives all control-plane IP traffic that is directly destined for one of the router interfaces.
      • All host traffic terminates on and is processed by the router.
      • Eg. SSH, SNMP, BGP, OSPF, Tunnel termination and EIGRP.
    • Control Plane transit subinterface
      • receives all control-plane IP traffic that is software switched by the route processor.

Architechture

Port-filter policy

  • Blocks traffic destined to closed or nonlistened TCP/UDP ports
  • Only works with the host subinterface.
  • Maintains a global database of all open TCP and UDP ports on the router, including ports created by applications.

Queue Threshold Policy

  • limits the number of unprocessed packets for a given higher level protocol allowed in the control-plane IP input queue.

Configuration

Control plane Policing

Versions prior to 12.4(4)T or if you only want to configure the aggregate interface

ip access-list extended coppacl-igp
 permit ospf any host 224.0.0.5
 permit ospf any host 224.0.0.6
 permit ospf any any
!
ip access-list extended coppacl-management
 permit tcp 10.0.0.0 0.255.255.255 any eq 22
 permit tcp 10.0.0.0 0.255.255.255 any eq telnet
 permit udp host 10.1.1.10 any eq snmp
 permit udp host 10.0.0.11 any eq ntp
!
ip access-list extended coppacl-monitoring
 permit icmp any any ttl-exceeded
 permit icmp any any port-unreachable
 permit icmp any any echo-reply
 permit icmp any any echo
!
ip access-list extended coppacl-critical-app
 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
 permit udp host 10.1.1.11 eq bootps any eq bootps
!
class-map match-all coppclass-igp
 match access-group name coppacl-igp
class-map match-all coppclass-management
 match access-group name coppacl-management
class-map match-all coppclass-monitoring
 match access-group name coppacl-monitoring
class-map match-all coppclass-critical-app
 match access-group name coppacl-critical-app
class-map match-all coppclass-layer2
 match protocol arp
!
policy-map copp-policy
 class coppclass-igp
 class coppclass-management
  police rate 250 pps conform-action transmit exceed-action drop
 class coppclass-monitoring
  police rate 50 pps conform-action transmit exceed-action drop
 class coppclass-critical-app
  police rate 75 pps conform-action transmit exceed-action drop
 class coppclass-layer2
  police rate 25 pps conform-action transmit exceed-action drop
 class class-default
  police rate 10 pps conform-action transmit exceed-action drop
!
control-plane
 service-policy input copp-policy

Port-filter policy

class-map type port-filter match-any portfilter-cmap
 match  closed-ports
!
policy-map type port-filter portfilter-pmap
 class portfilter-cmap
   drop
!
control-plane host
 service-policy type port-filter input portfilter-pmap
!

Queue-threshold policy

class-map type queue-threshold match-all queue-cmap
 match host-protocols
!
policy-map type queue-threshold queue-pmap
class queue-cmap
 queue-limit 100
!
control-plane host
 service-policy type queue-threshold input queue-pmap

Show output

B1rt1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
 tcp                 *:22                  *:0               SSH-Server   LISTEN
 tcp                 *:23                  *:0                   Telnet   LISTEN
 tcp                 *:80                  *:0                HTTP CORE   LISTEN
 tcp                 *:22       10.1.2.50:5954               SSH-Server ESTABLIS
 udp                 *:67                  *:0            DHCPD Receive   LISTEN
 udp                 *:68                  *:0             BootP client   LISTEN
 udp                *:123                  *:0                      NTP   LISTEN
B1rt1#sh control-plane host counters
Control plane host path counters :

Feature                  Packets Processed/Dropped/Errors

--------------------------------------------------------
TCP/UDP Portfilter           3337/2028/0
Protocol Queue Threshold      384/0/0

--------------------------------------------------------
B1rt1#sh control-plane counters
Feature Path             Packets processed/dropped/errors
Aggregate                  392996/2628/0
Host                         9373/2135/0
Transit                    369604/0/0
Cef-exception               11391/0/0

External Links

CoPP
CoP extended feature set
CoPP best practice design guide