Difference between revisions of "Netband Project - CoPP"
From Teknologisk videncenter
(→Control Plane Policing) |
(→Control Plane Policing) |
||
| Line 8: | Line 8: | ||
[[Image:CoPP.JPG|Architechture]] | [[Image:CoPP.JPG|Architechture]] | ||
*Prior to 12.4(4)T it was only possible to configure the aggregate interface | *Prior to 12.4(4)T it was only possible to configure the aggregate interface | ||
| + | |||
| + | ==Configuration== | ||
| + | <pre> | ||
| + | ip access-list extended coppacl-igp | ||
| + | permit ospf any host 224.0.0.5 | ||
| + | permit ospf any host 224.0.0.6 | ||
| + | permit ospf any any | ||
| + | ! | ||
| + | ip access-list extended coppacl-management | ||
| + | permit tcp 10.0.0.0 0.255.255.255 any eq 22 | ||
| + | permit tcp 10.0.0.0 0.255.255.255 any eq telnet | ||
| + | permit udp host 10.1.1.10 any eq snmp | ||
| + | permit udp host 10.0.0.11 any eq ntp | ||
| + | ! | ||
| + | ip access-list extended coppacl-monitoring | ||
| + | permit icmp any any ttl-exceeded | ||
| + | permit icmp any any port-unreachable | ||
| + | permit icmp any any echo-reply | ||
| + | permit icmp any any echo | ||
| + | ! | ||
| + | ip access-list extended coppacl-critical-app | ||
| + | permit udp host 0.0.0.0 host 255.255.255.255 eq bootps | ||
| + | permit udp host 10.1.1.11 eq bootps any eq bootps | ||
| + | </pre> | ||
==External Links== | ==External Links== | ||
Revision as of 12:22, 15 April 2009
<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project
Control Plane Policing
- The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks.
- CoPP can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
- Uses MQC (Modular QoS CLI)
- Control Plane Policing Architecture
- Prior to 12.4(4)T it was only possible to configure the aggregate interface
Configuration
ip access-list extended coppacl-igp permit ospf any host 224.0.0.5 permit ospf any host 224.0.0.6 permit ospf any any ! ip access-list extended coppacl-management permit tcp 10.0.0.0 0.255.255.255 any eq 22 permit tcp 10.0.0.0 0.255.255.255 any eq telnet permit udp host 10.1.1.10 any eq snmp permit udp host 10.0.0.11 any eq ntp ! ip access-list extended coppacl-monitoring permit icmp any any ttl-exceeded permit icmp any any port-unreachable permit icmp any any echo-reply permit icmp any any echo ! ip access-list extended coppacl-critical-app permit udp host 0.0.0.0 host 255.255.255.255 eq bootps permit udp host 10.1.1.11 eq bootps any eq bootps