Thursday, 2 July 2020

Control Plane Policing (CoPP) Configuration in Cisco IOS

As per Cisco website definition:
Control Plane Policing (CoPP) is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance.

Here's a sample configuration in applying CoPP.


Step1: Create necessary ACLs 
a. Important services,e.g.NTP,SSH,SNMP

ip access-list extended SSH-ACL
 permit tcp host 192.168.10.10 any eq 22
 permit tcp host 192.168.20.20 any eq 22
 deny   tcp any any eq 22

ip access-list standard SNMP-ACL
 permit 192.168.30.30
 permit 192.168.40.40

ip access-list standard NTP-ACL
 permit 172.16.18.2
 permit 172.16.18.3

b.ICMP
ip access-list extended ICMP-ACL
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any ttl-exceeded
  permit icmp any any port-unreachable

c. IGP
ip access-list extended IGP-ACL
  permit ospf any any
  permit tcp 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255 eq bgp
  permit tcp 192.168.3.0 0.0.0.255 eq bgp 192.168.3.0 0.0.0.255

d. Those harmful services or traffic
ip access-list extended HARMFUL-ACL
 permit tcp any any fragments
 permit udp any any fragments
 permit icmp any any fragments
 permit ip any any fragments
 permit udp any any range netbios-ns netbios-ss
 permit tcp any any eq 445
 permit udp any any eq 445
 permit udp any any eq 1434
 permit tcp any any range 137 139

e. All traffic
ip access-list extended ALL-ACL
 permit pim any any
 permit igmp any any
 permit icmp any any
 permit gre any any
 permit tcp any any
 permit udp any any
 permit ip any any


Step2: Configure Class Map
class-map match-any CoPP-SSH-SNMP-NTP
 match access-group name SSH-ACL
 match access-group name SNMP-ACL
 match access-group name NTP-ACL

class-map match-all CoPP-ICMP
 match access-group name ICMP-ACL

class-map match-all CoPP-IGP
 match access-group name IGP-ACL

class-map match-all CoPP-HARMFUL
 match access-group name HARMFUL-ACL

class-map match-all CoPP-ALL
 match access-group name ALL-ACL


Step3:Configure Policy Map (conform and exceed-action can be transmit or drop)
 police  [Target Bit Rate] [burst bytes] [burst bytes] [burst bytes] [conform-action] [transmit/drop]  [exceed-action] [transmit/drop]
 police  [cir]  [Target Bit Rate]  [conform burst] [burst bytes] [excess burst] [burst bytes] [conform-action] [transmit/drop]  [exceed-action] [transmit/drop]

Assumption: 5% excess burst

policy-map CoPP
  class CoPP-SSH-SNMP-NTP
  police 200000 10000 10000 conform-action transmit  exceed-action transmit
class CoPP-ICMP
  police 200000 10000 10000  conform-action transmit  exceed-action transmit
 class CoPP-IGP
  police 500000 25000 25000 conform-action transmit  exceed-action transmit
 class CoPP-HARMFUL
  police cir 40000 bc 2000 be 2000 conform-action transmit  exceed-action drop
 class CoPP-ALL
  police 300000 15000 15000 conform-action transmit  exceed-action transmit


For CoPP Best Practices,you can refer to this Cisco CoPP Best Practices

No comments:

Post a Comment