Capítulo II ANTECEDENTES
2.4 Aplicación industrial de recubrimientos duros
Skills Tested
Implement CoPP to enable the route processor to service critical traffic types such as routing updates, keepalives and network management, to provide a predictable level of service by throttling back on less important traffic types in times of data congestion or device attack.
Solution and Verification
CoPP can help protect the router against DoS attacks that can occur either inadvertently or maliciously as a result of high levels of traffic being punted to the RP, causing excessive CPU utilization.
The application of CoPP is not difficult; however, it does require a good understanding of the types of traffic that need to be policed, and at what rate and granularity. For example, knowing HTTP needs to be prioritized, limit permitted HTTP traffic to flows between known sources and destinations.
Configuration is done using the Modular QoS CLI (MQC) and then applied to the control plane. If a DoS attack occurs, critical traffic, such as routing protocol updates and IKE keepalives, can be guaranteed bandwidth to prevent route flaps and tunnel instability. Traffic with a recognized attack pattern or that is known to put a higher load on the router CPU can be classed as undesirable and dropped.
Verification
For all verification syntax that follows:
Required output appears in red
To verify this solution on R7, the following show commands give a consolidated view of class maps that are used to define what traffic is of interest, and policy maps that define what actions are to be
taken on that traffic. In this case, the action taken is to be applied specifically to interesting traffic that is processed by the router control plane. Special attention must be paid to the use of match-any and match-all in class map definitions.
any states that any of the traffic criteria in the class map needs to be matched, whereas match-all requires match-all criteria defined in the class map to be matched.
As specified in the question, any names can be used for class maps and policy maps. It is important to correctly identify the traffic itself, and rates and actions to be applied to that traffic.
Traffic types are defined in access lists; these have been defined as specifically as possible to be relevant to R7, hence the need to understand network traffic flows.
Click here to view code image
R7# show access-list
Extended IP access list coppacl-VPN
10 permit udp any any eq isakmp (1906 matches) Extended IP access list coppacl-bgp
10 permit tcp host 10.50.70.6 host 10.50.40.7 eq bgp (42748 matches) 20 permit tcp host 10.50.70.6 eq bgp host 10.50.40.7 (71312 matches) Extended IP access list coppacl-igp
10 permit ospf any host 224.0.0.5 (158592 matches) 20 permit ospf any host 224.0.0.6 (59 matches) 30 permit ospf any any (123 matches)
Extended IP access list coppacl-management
10 permit tcp 10.50.0.0 0.0.255.255 any eq telnet (72 matches) 20 permit udp host 10.50.70.5 any eq ntp (18865 matches)
30 permit tcp 192.168.2.0 0.0.0.255 any eq www (128 matches) 40 permit tcp 192.168.2.0 0.0.0.255 any eq 443
50 permit udp host 192.168.2.25 eq domain any (14 matches) Extended IP access list coppacl-undesirable
10 deny tcp any any fragments
20 deny icmp any any fragments (10 matches) IPv6 access list coppacl-VPNv6
permit udp any any eq isakmp (60 matches) sequence 1
Class maps group interesting traffic into traffic classes. Note that the layer2 class uses the special match protocol arp and the default class, which is the catch-all for any traffic not explicitly matched, uses a match-any criteria.
Click here to view code image
R7# show class-map
Class Map match-any coppclass-VPN (id 9) Match access-group name coppacl-VPN Match access-group name coppacl-VPNv6 Class Map match-all coppclass-layer2 (id 10) Match protocol arp
Class Map match-any class-default (id 0) Match any
Class Map match-all coppclass-igp (id 7) Match access-group name coppacl-igp
Class Map match-all coppclass-undesirable (id 11) Match access-group name coppacl-undesirable Class Map match-all coppclass-bgp (id 1)
Match access-group name coppacl-bgp
Class Map match-any coppclass-management (id 8) Match access-group name coppacl-management
For each traffic class, define the actions to be applied. There should be one policy map for each traffic class defined in Table 1-17. Note that the traffic classes for BGP and OSPF have no explicit action because they were defined as having full access with no rate limiting.
R7# show policy-map Policy Map copp-policy Class coppclass-bgp Class coppclass-igp
Class coppclass-management police rate 125 pps Class coppclass-layer2 police rate 20 pps
conform-action transmit exceed-action transmit Class coppclass-undesirable police rate 10 pps
The following command is a good way to view the consolidated CoPP policies and ensure they are
correctly processing traffic on the control plane:
Click here to view code image
R7# show policy-map control-plane Control Plane
Service-policy input: copp-policy Class-map: coppclass-bgp (match-all) 56964 packets, 4758874 bytes
5 minute offered rate 0 bps
Match: access-group name coppacl-bgp Class-map: coppclass-igp (match-all) 158611 packets, 15826230 bytes 5 minute offered rate 0 bps
Match: access-group name coppacl-igp
Class-map: coppclass-management (match-any) 9537 packets, 859270 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name coppacl-management 9535 packets, 859090 bytes Class-map: coppclass-VPN (match-any) 1007 packets, 186541 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name coppacl-VPN 947 packets, 178425 bytes
5 minute rate 0 bps
Match: access-group name coppacl-VPNv6 60 packets, 8116 bytes
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0 pps, exceeded 0 pps Class-map: coppclass-layer2 (match-all) 38523 packets, 2311380 bytes
Class-map: coppclass-undesirable (match-all) 0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name coppacl-undesirable police: Class-map: class-default (match-any) 279559 packets, 35570430 bytes
Click here to view code image
class-map match-all coppclass-bgp
match access-group name coppacl-bgp
police rate 125 pps conform-action transmit exceed-action transmit class coppclass-VPN
police rate 250 pps conform-action transmit exceed-action transmit class coppclass-layer2
police rate 20 pps conform-action transmit exceed-action transmit class coppclass-undesirable
police rate 10 pps conform-action drop exceed-action drop class class-default
police rate 25 pps conform-action transmit exceed-action drop
ip access-list extended coppacl-VPN permit udp any any eq isakmp
ip access-list extended coppacl-bgp
permit tcp host 10.50.70.6 host 10.50.40.7 eq bgp permit tcp host 10.50.70.6 eq bgp host 10.50.40.7 ip access-list extended coppacl-igp
permit ospf any host 224.0.0.5 permit ospf any host 224.0.0.6 permit ospf any any
ip access-list extended coppacl-management permit tcp 10.50.0.0 0.0.255.255 any eq telnet permit udp host 10.50.70.5 any eq ntp
permit tcp 192.168.2.0 0.0.0.255 any eq www permit tcp 192.168.2.0 0.0.0.255 any eq 443 permit udp host 192.168.2.25 eq domain any
ip access-list extended coppacl-undesirable deny tcp any any fragments
deny icmp any any fragments control-plane
service-policy input copp-policy Tech Notes
Router Planes
A router can be logically divided into three functional components or planes, as described in the following list, along with some protection mechanism that can be applied to each plane:
Data Plane:
Drop all or selective drop IP options
Disable redirects, source routing, directed broadcasts
Enable ICMP packet filtering, but understand IPv4 versus IPv6 requirements Unicast RPF
Enable TTL expiry Management Plane:
Out-of-band management Password security
SNMP security
Remote terminal access security Disable unused services
Disable idle user sessions System banners
Secure IOS file systems Role-based CLI access
Management plane protection
Authentication, Authorization, Accounting (AAA) AutoSecure
Identify unused protocols—HTTP server, CDP Infrastructure ACLs
Control Plane:
Disable unused control plane services
ICMP techniques—no ICMP redirects, no ICMP unreachables, ICMP rate limiting Selective packet discard—IP options, fragments
Control plane policing and control plane protection (port and threshold) MD5 authentication
BGP techniques—max prefixes, ttl-security Route filtering and passive interfaces
Infrastructure ACLs
Selective packet discard IPv6
OSPFv3 IPv6 ttl-security for virtual links (global addressing) As a rule of thumb:
Traffic to the control and management plane is always destined to the device.
Traffic in the data plane is always destined through the device.
CoPP Versus CPPr
This exercise presented Control Plane Policing (CoPP). CoPP introduced the concept of rate-limiting protocol-specific traffic destined to the processor by applying QoS policies to the aggregate
control-plane interface. CoPP is implemented on the router using the following command:
Click here to view code image
control-plane
sevice-policy input | output policy-map-name But what is Control Plane Protection (CPPr)?
Control Plane Protection extends control plane functionality by providing three additional control-plane subinterfaces under the top-level (aggregate) control-control-plane interface. Each subinterface receives and processes a specific type of control-plane traffic.
The three subinterfaces are as follows:
Control-plane host subinterface: This interface receives all control-plane IP traffic that is directly destined for one of the router interfaces (for example, iBGP, EIGRP, SSH).
Control-plane transit subinterface: This subinterface receives all control-plane IP traffic that is not directly destined to the router itself but rather traffic traversing the router (for example, nonterminating tunnel traffic).
Control-plane CEF-exception subinterface: This control-plane subinterface receives all traffic that is either redirected as a result of a configured input feature in the CEF packet
forwarding path for process switching or directly enqueued in the control plane input queue by the interface driver (for example, ARP, eBGP, or OSPF).
All protection features in the control plane are implemented as MQC policies that operate using the control plane class maps and policy maps. Additional class map and policy map types have been created for the control plane port-filter and per-protocol queue-threshold features.
CPPr is implemented on the router using the following command options:
Click here to view code image
control-plane host option
cef-exception Cef-exception traffic control-plane configuration
host Host traffic control-plane configuration transit Transit traffic control-plane configuration
service-policy input | output policy-map-name