Control plane policing

Similar Messages

• Control Plane Policing (CoPP) for Data Center

  Hi All,
  I am planning to apply CoPP on different routers and switches of Data Center. This Data Center comprises of Cisco 6513 (VSS), Catalyst 3750, Cisco 3845 and Cisco 2811.
  My question are:
  1. Do we have to apply CoPP on Catalyst 3750, as these are DMZ switches only?
  2. How to find the packet processing rate from router and switches?
  3. Any best practices CoPP template for routers running OSPF and BGP?
  Thanks and Regards,
  Ahmed.

  1. You would need to apply CoPP to all routers/switches that are 
  manageable from untrusted sites. So even if you have non-DMZ switches 
  that will be able to be telneted to from the outside for example, 
  CoPPing them would be helpful for you.Do we not need to apply
  CoPP on switches and routers that are not telneted from outside?
  Control plan traffic is traffic that goes to the control plane of the router like management traffic, snmp etc. If there is a firewall securing you from the outside I would feel my switches are more secure and it is not easy to bring them to their knees with an attacker doing too much from the outside. Control plane policing applies to all control plane traffic, but it is mostly against outsiders that someone would try to protect himself.
  2. "sh proc
  cpu" would give you some  insight for processes like ssh or telnet and
  how much the take. Not  control packet rate processing though.I
  want to know the maximum packet processing rate of a router or switch?
  I don't think you will be able to pull that number.
  3. Depends
  on how powerful the  router is, how many commands you are running, how
  much route processing  is going on.Best practice for a router
  running OSPF with 200 routes?
  Don't know of any.
  PK

• Control-plane policing on ML Card

  Hi All,
  We are experiencing high CPU utilization on one of our ML Card in the ONS 15454. The "IP Input" has relatively higher CPU utilization consumed irrespective of the proper fast/CEF switching enabled on the interfaces. We are trying to figure out,whether there is an attack to the control-plane or even any IP Packets destined local to the ML Card,which is causing those packet to process switched.
  In order to figure that,we thought we may try to use Control plance policing on the control-plane but it seems not taking the service-policy associated with that. Is this feature supported in the ML card or any other suggestion would be really appreciated.
  Thanks
  Regards
  Anantha Subramanian Natarajan

  Try the "clear ip mroute" command on the ML card with high cpu usage and check for the issue. Ml card having a large number of mac address traffic can also cause high cpu usage.In very large bridged networks, which may connect directly to 1000s of layer-3 devices, it may also be wise to increase the MAC table limit above the default of 1000 MAC addresses. This is done with the configuration command:
  bridge X limit dynamic entries 10000

• Control Plane Policing - is the a default config in a 6509?

  I was doing some configuration reviews today, removing some lines that needed to be removed and came across an ACL I have never seen before.  I sure wish I could copy and paste into this thread!
  ip access-list extended cpp-management
  class-map match-all cpp-any
  match access-group name cpp-any
  class-map match-all cpp-management
  match access-group name cpp-management
  and then some policy maps and access lists, etc.
  Does anyone know if this is a default config?  I've never seen in before and none of my co-workers have owned up to putting it in there.
  Thanks in advance.
  Tim

  It is not a default, that is a custom config. CoPP is not on by default.
  Hope it helps.

• Control Plane Protection (Policing) configuration on Catalyst 3850

  I need to block ICMP requests from being received by the switch. And there is no 'control-plane' configuration mode, which I was going to use for this.
  How can I configure this feature or apply another for my purpose?

  Greetings,
  How about on the 3725 router?
  A couple specific questions I have while configuring the portion for IGPs.
  Here is a couple snips of example configurations I'm finding on the Internet, that I have questions on.
  1. Cisco CoPP Best Practicesaccess-list 120 permit ospf any
  access-list 120 permit ospf any host 224.0.0.5
  access-list 120 permit ospf any host 224.0.0.6
  2. Deploying Cisco Control Plane Policing
  ip access-list extended coppacl-igp remark CoPP IGP traffic class
  ! permit OSPF permit ospf any host 224.0.0.5
  permit ospf any host 224.0.0.6 permit ospf any any
  3. RFC6192
    ip access-list extended OSPF
      permit ospf 192.0.2.0 0.0.0.255 any
  Questions - Which optionis better?
  - Is the network specified in option #3, the network statement under the OSPF process, 
  or the actual network I'm routing?
  -  If option #1 is better, what is the "router receive block" mentioned?
  Thank you for your assistance!!
  Debbie

• Rule for Control Plane traffic Transparent Firewall

  Hi Everyone,
  ASA  working in routed mode traffic is allowed by default from high security inside to low security outside.
  But in case of transparent firewall  control plane  traffic  from inside to outside it is not allowed by default.
  Need to know the reason behind this?
  IS this due to transparent firewall layer 2?
  Regards
  MAhesh

  Hello Chintan,
  the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.
  So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.
  If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.
  Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.
  Hope to help
  Giuseppe

• What snmp OID to use to monitor control-plane of router

  Hi there!
  I've applied policy-maps on control-plane, based on cisco recomandation.
  Now i need to know, what snmp OID i've to use to monitor them (i'm using zabbix)
  Let me know.
  Regards!

  If you are using IOS which uses a policy-map to configure Control Plane Policing then you are asking in the wrong place as this forum is for IOS-XR not IOS but you can poll objects in the CISCO-CLASS-BASED-QOS-MIB::cbQosPoliceStatsTable (for example cbQosCMDropByte64, cbQosPoliceExceededByte64, cbQosPoliceConformedByte64).
  If you mean you have changed the LPTS policers to help protect the control-plane in IOS-XR then I believe there is currently no support for polling the counters via SNMP. See the section on monitoring in Xander's document https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp

• ASA Control Plane

  Hello,
  I'm attempting to limit what IP addreses can connect to an ASA using the SSL VPN. I would have thought control-plane policing would have worked, however it did not.
  Here is what I configured:
  access-list vpn_control extended permit tcp object-group allowed_clients interface outside
  access-group vpn_control in interface outside control-plane
  any suggestions would be appreciated.
  Thanks!

  I'm having a problem which I think is described here.  I would essentially like to whitelist networks for ssl anyconnect vpn access.  I understand that the anyconnect client would attempt a connection to my outside interface on 443 and that it would be considered "to the box traffic" which would bypass the interface ACL's. I set up an acl to deny traffic from a specific test network to test the control plane option.  At first I tried 443 traffic and later expanded it to a deny any from the external network, but in either case I was still able to VPN to the asa from this test network using the anyconnect client.  I assume this has something to do with management traffic having priority and not distiguishing between managment traffic destined for /admin and ssl vpn connections.  However, I do not have the outside interface enabled as a management interface, so even that is a little puzzling.
  access-list outside_access_in_1 extended deny ip object test_network any
  access-list outside_access_in_1 extended permit ip any any
  access-group outside_access_in_1 in interface outside control-plane
  If I do a packet trace for 443 traffic from that network to my outside interface IP it does show the traffic passing and the ACL section specifically shows it passing via implicit rule...

• Control-plane protection| soft ware hardware counters

  Hi everybody
  Today I noticed something stange at work. I was looking at how we implemented a policy to drop ICMPS hitting our processor after certains constraints are met.
  cisco#show running-config | begin control-plane
  control-plane
  service-policy input copp-aggregated
  +++++++++++++++++++++++
  Policy defination:
  policy-map copp-aggregated
  class cpp-icmp
     police cir 5000000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop
  class-map match-all cpp-icmp
    match access-group name cpp-icmp
  cisco#show ip access cpp-icmp
  Extended IP access list cpp-icmp
      10 permit icmp any any (156222580 matches)
  ++++++++++++++++++++++++++++++
  cisco#show policy-map control-plane
   Control Plane Interface
  Service-policy input: copp-aggregated
  Hardware Counters:
      class-map: cpp-icmp (match-all)
        Match: access-group name cpp-icmp
        police :
          5000000 bps 93000 limit 93000 extended limit
        Earl in slot 5 :
          5295068971 bytes
          5 minute offered rate 9528 bps
          aggregate-forwarded 5259145173 bytes action: transmit
          exceeded 35923798 bytes action: drop
          aggregate-forward 9936 bps exceed 0 bps
    Software Counters:
      Class-map: cpp-icmp (match-all)
        99672582 packets, 14936584392 bytes
        5 minute offered rate 11000 bps, drop rate 0 bps
        Match: access-group name cpp-icmp
        police:
            cir 5000000 bps, bc 93750 bytes, be 187500 bytes
          conformed 99672950 packets, 14936253164 bytes; action: transmit
          exceeded 289 packets, 422518 bytes; action: drop
          violated 0 packets, 0 bytes; action: drop
          conformed 13000 bps, exceed 0 bps, violate 0 bps
  +++++++++++++++++++++++++++++++++++
  I can see " software counters' just show the constraints defined under policy "  copp-aggregated", how did we end up with hardware counters ?
  Hardware counters shows " 5000000 bps 93000 limit 93000 extended limit"  which we never defined that anywhere.
  I appreciate your help
  Thanks

  BTW, don't know why but the **** above should have read k - n - o - b.  Probably the decorum police checking in...

• Control Plane Policy not allowing ssh on my 3825 router

  I have complaints for a downstream customer trying to connect to my network. He is the only one connecting to hosts via ssh. He is showing up hitting the 3rd party (Mcaffee Sidewinder Firewall) between the 2 Cisco 3825 routers but with the bytes stripped out.  I started looking at the control plane policy and believe it is the culprit. He is the only host I need to get in through the router (WAN) via this protocol/port. What do I need to change in order to allow him through?

  BTW, don't know why but the **** above should have read k - n - o - b.  Probably the decorum police checking in...

• What is the Control Plans functionality in cProjects used for?

  Hi Folks,
  What is the purpose and usage of control plans in cProjects? Is this useful in an environment where QM is not implemented? Appreciate if somebody could provide an example of how this functionality will be useful from a project management standpoint. I am on cProjects 4.5.
  Cheers,
  Lashan

  Hi,
  the control plan functionality in cProjects is deprecated, see SAP Note 1114207:
  Using the control plans is not recommended because with new  
  developments in SAP PLM Quality Management (QM). cProjects   
  remains the preferred project management solution, but all QM
  aspects that are not directly related to project management  
  should be managed in SAP ERP.                                
  Kind regards,
     Florian

• Control Plane and Data Plane

  Hi there,
  I'm trying to figure out how to determine and how to differentiate between control plane and data plane especially in troubleshooting MPLS VPN. Any keyword that distinguish between them? It seems to be confusing for a newbie here :)
  Thanks in advance.
  maher

  Hi Maher,
  The control plane is simply the set of processes that are responsible for disseminating information on routes, labels etc within a network. This includes routing protocols whose job is to communicate information on routes between different routers. The information provided by these protocols is then used to building routing/forwarding tables.
  The data plane is simply an abstraction used to describe the actual flow of data packets using paths determined by the control plane. The control plane traffic carries control traffic (which is not end-user data) whereas the data plane traffic is actual end-user data.
  There is no single command that you can use to distinguish between the two. The commands you have on a router that can be used to view control plane operation are as such:
  sh ip route
  sh ip cef
  sh ip bgp ...
  sh ip ospf ...
  sh mpls forwarding-table...
  etc... and many, many more
  Typically, there isn't a clear demarcation between commands that display control plane info and those that display data plane information... You could use commands such as the following to get some idea of data traffic flowing through a router:
  sh interfaces
  sh policy-map interface
  etc.
  Hope that helps - pls rate the post if it does.
  Paresh

• CProjects- Control Plan

  Hi All,
  I am working on cProjects. When I assign the control plan on the Project definition it is created. I can create the process & assign the tools & characteritics. But in the additional data for characteristics the fields are greyed. Example ; I do want the unit k, lower & higher values for characterist temp but it is greyed out.
  Is there any setting required for transfer to SAP R/3 as inspection plan.
  Help requrd.
  RAMU

  Go to Characteristics ‘CT04’ or ‘CT02’
  Go to Additional Data Tab---- enter TABLE which you want use , enter FIELD values
  Enter document details below
  Save transaction
  Enjoy SAP…….!!!!!!

• How to map,e.g. conceptual control plane to physical element?

  Route processor = control plane (customer, provider) in layer 3
  Line card = data plane in layer 2& layer 3
  where is management plane?
  Thanks

  Hi
  When you configure MP you can see the logging for same . The log you will get
  Aug  2 15:25:32.846: %CP-5-FEATURE: Management-Interface feature enabled on Control plane
  host path
  It shows that the MP work over Control plane. Means in Route processor  the MP will take palce.
  Regards
  Chetan Kumar

• Control plane protection

  Hi guys,
  I want to implement control plane protection for fragmented packets. As far as i know if fragmented packet are traversing through router then service-policy will be applied at control-plane transit but if fragmented packets are destine to router itself then it will be applied at control-plane host. Correct me if i am wrong. Moreover I want to know the difference between
  Control-plane
  Control-plane host
  Control-plane transit
  Control-plane cef

  Hi Bro
  What you’re doing is good. It’s always best to block the fragmented packets at the control-plane level, rather than via the normal ACL.
  In the basic/lower feature sets IOS versions, there is no breakdown in terms of control-plane. With the advanced/higher feature sets IOS versions, you have control-plane host, control-plane transit and control-plane cef. Your next question would be when do I apply them, in what given situations, am I right? Basically, in a nutshell, here goes
  a)    control-plane host handles packets destined for router itself e.g. management traffic (telnet/ssh/tacacs+/radius) and routing traffic.
  b)    control-plane transit works on IP based packets traversing through the router e.g. internet browsing, email etc.
  c)    control-plane cef focuses on non-IP packets e.g. CDP, ARP etc.
  With this in mind, you might wanna expand your knowledge in depth, by reading this Cisco document http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html
  P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.