Jul
22
2009

CoPP?! What is that?

Cisco Network Foundation Protection (NFP) is an umbrella strategy encompassing Cisco IOS Security features that provides the tools, technologies, and services that enable organizations to secure their network foundations. NFP helps to establish a methodical approach to protecting router planes, forming the foundation for continuous service delivery.

The router is typically segmented into three planes of operation, each with a clearly identified objective:

  • the data plane allows the ability to forward data packets
  • the control plane allows the ability to route data correctly
  • the management plane allows the ability to manage network elements.

The vast majority of packets handled by a router travel through the router by way of the forwarding plane, or data plane. However, the system’s route processor must handle certain packets, such as routing protocols, keepalives, packets destined to the local IP addresses of the router, and packets from management protocols and other interactive access protocols, such as Telnet and Secure Shell (SSH) Protocol. This type of traffic is often referred to as control plane traffic.

Packet overloads on a router’s control plane can slow down routing processes and, as a result, degrade network service levels and user productivity. One cause for an overburdened router control plane is a router making inefficient use of shared CPU and memory resources. The same result can occur if reconnaissance or denial-of-service (DoS) attacks appear on the control plane, or if a routing protocol otherwise misbehaves.

For example, if a high volume of rogue packets generated by a virus or worm is presented to the control plane, the router will spend an excessive amount of time processing and discarding unnecessary traffic. This can eventually overwhelm the route processor, which is responsible for handling router control plane functions, and possibly bring router processes to a halt.

Following is an overview of several Cisco IOS Software security features that protect the control plane of networking devices.

  • Receive Access Control Lists: Receive Access Controls Lists (rACLs) are designed to protect the route processor on high-end routers from unnecessary traffic that could potentially affect system performance.
    The rACL feature uses standard or extended ACLs that control the traffic sent by the various line cards to the route processor on distributed architectures such as Cisco 12000 Series Routers. An rACL does not apply to transit traffic.
  • Control Plane Policing: The control plane policing (CoPP) feature significantly improves upon the rACL feature. Whereas rACLs allow the configuration of basic “permit” and “deny” filters for traffic destined to the router CPU, the CPP feature extends this by allowing users to configure a quality of service (QoS) filter that can also “rate-limit” this traffic.
  • Control Plane Protection: Cisco Control Plane Protection (CPPr) extends the CPP feature by enabling classification of the control plane traffic based on packet destination and information provided by the forwarding plane, allowing appropriate throttling for each category of packet.

 

In this article I will explain the control plane policing (CoPP), a feature introduced with release 12.2(18)S.

The CoPP feature protects the control plane of Cisco IOS Software-based routers and switches against many attacks, including reconnaissance and denial-of-service (DoS) attacks. In this manner, the control plane can maintain packet forwarding and protocol state despite an attack or heavy load on the router or switch.

CoPP provides the following benefits:

  • Protection against DoS attacks at infrastructure routers and switches
  • QoS control for packets that are destined to the control plane of Cisco routers or switches
  • Ease of configuration for control plane policies
  • Better platform reliability and availability

Example: Implement and test CoPP feature
Suppose to have a network (192.168.144.0/24) with two routers (.252 and .253) and an untrusted PC (.100). It is required to protect Ciscozine1 control plane from ICMP flood attack.

 

CoPP

 

Ciscozine2 (the trusted host) can forward ICMP packets to the control plane without constraint, while all remaining ICMP packets will be policed at the specified rate.

To test the CoPP feature, I use the ping command, with a size of 1250byte. As you can see, all ICMP packets sent by Ciscozine2 are received, while some ICMP packets from the Untrusted_pc are lost due to the control plane policing feature.

 

 

To display the configuration and statistics for a traffic class or all traffic classes in the policy maps attached to the control plane for aggregate or distributed control plane services, use the show policy-map control-plane command in privileged EXEC mode.

Ciscozine1#show policy-map control-plane
 Control Plane

  Service-policy input: control-plane-policing-test

    Class-map: block-untrusted-icmp (match-all)
      5246 packets, 3764458 bytes
      5 minute offered rate 10000 bps, drop rate 6000 bps
      Match: access-group 100
      police:
          cir 8000 bps, bc 1500 bytes
        conformed 3536 packets, 1386530 bytes; actions:
          transmit
        exceeded 1710 packets, 2377928 bytes; actions:
          drop
        conformed 4000 bps, exceed 6000 bps

    Class-map: class-default (match-any)
      1478 packets, 132467 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
Ciscozine1#

 

Ciscozine1 (partial) configuration:
Ciscozine1#
!
hostname Ciscozine1
!
class-map match-all block-untrusted-icmp
 match access-group 100
!
!
policy-map control-plane-policing-test
 class block-untrusted-icmp
    police 8000 conform-action transmit  exceed-action drop
!
interface FastEthernet0/0
 ip address 192.168.144.252 255.255.255.0
 duplex auto
 speed auto
!
access-list 100 deny   icmp host 192.168.144.253 any
access-list 100 permit icmp any any
!
control-plane
 service-policy input control-plane-policing-test

References:

  • Rajeev

    Friend,

    When u r deny a pc ip in the acl , That means m traffic will not be matched for policing …

    The second line permits everything else which should include the other router for policing feature …

    Im Wondering how its working in the sample video.

    Please correct me if im wrong.

  • oshincisco

    access-list 100 deny icmp host 192.168.144.253 any
    access-list 100 permit icmp any any

    The first line denies the host 192.168.144.253 from bn policed.

    The second line permits every other icmp trafic from any host to be policed…

  • Bynary Man

    The use of the deny rule in access lists used in MQC is somewhat different to regular interface ACLs. Packets that match a deny rule are excluded from that class and cascade to the next class (if one exists) for classification. This is in contrast to packets matching a permit rule, which are then included in that class and no further comparisons are performed.