Control Plane Policing vs. Control Plane Protection

• CoPP

Networks function to carry data plane (user-generated) packets. Networks are also created and operated by control plane and management plane packets. Unlike legacy network technologies such as ISDN, Frame Relay, and ATM that defined separate data and control channels, IP carries all packets within a single pipe. Thus, IP network devices such as routers and switches must be able to distinguish between data plane, control plane, and management plane packets to treat each packet appropriately.


From an IP traffic plane perspective, packets may be divided into four distinct, logical groups:

• Data plane packets – End-station, user-generated packets that are always forwarded by network devices to other end-station devices. 
• Control plane packets – Network device generated or received packets that are used for the creation and operation of the network itself. Examples include protocols such as ARP, BGP, OSPF, and other protocols that glue the network together. 
• Management plane packets – Network device generated or received packets, or management station generated or received packets that are used to manage the network. Examples include protocols such as Telnet, Secure Shell (SSH), TFTP, SNMP, FTP, NTP, and other protocols used to manage the device and/or network. 
• Services plane packets – A special case of data plane packets, services plane packets are also user-generated packets that are also forwarded by network devices to other end-station devices, but that require high-touch handling by the network device (above and beyond normal, destination IP address-based forwarding) to forward the packet. Examples of high-touch handling include such functions as GRE encapsulation, QoS, MPLS VPNs, and SSL/IPsec encryption/decryption, etc.

From the local perspective of the network device, three general types of packets exist:

• Transit packets – These include data plane and some services plane packets that are subjected to standard, destination IP-based forwarding functions. 
• Receive packets – These include control plane and management plane packets that are destined to the network device itself. Receive packets must be handled by the CPU within the route processor, as they are ultimately destined to and handled by applications running at the process level within IOS.
• Exception IP and Non-IP packets – One special set of packets includes both exception IP packets and non-IP packets. Exception IP packets include, for example, IPv4 packets containing IP header options, IP packet TTL expires, and IP packets with unreachable destinations. Layer 2 keepalives, ISIS packets, Cisco Discovery Protocol (CDP) packets, and PPP Link Control Protocol (LCP) packets are examples of non-IP packets. All of the packets in this set must be handled by the route processor.

Control Plane Policing (CoPP) is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance. 

CoPP protects the route processor on network devices by treating route processor resources as a separate entity with its own ingress interface (and in some implementations, egress also). Because of this behavior, a CoPP policy can be developed and applied only to those packets within the control plane.

• CPPr

Starting with Cisco IOS Software release 12.4(4)T, Control Plane Protection (CPPr) was introduced.

CPPr divides the aggregate control plane into three separate control plane categories, known as subinterfaces: (1) host, (2) transit, and (3) CEF-exception. In addition, CPPr includes the following additional control plane protection features:

• The port-filtering feature provides for policing/dropping of packets going to closed or nonlistening TCP/UDP ports 
• Queue thresholding limits the number of packets for a specified protocol that will be allowed in the control plane IP input queue

Control plane host subinterface: This interface receives all control plane IP traffic that is directly destined for one of the router interfaces (physical and loopback). Examples of control plane host IP traffic include tunnel termination traffic; management traffic; and routing protocols.

Control plane transit subinterface: This subinterface receives all control plane IP traffic that is software switched by the route processor. This traffic consists of packets that are not directly destined to the router itself but rather are traffic traversing through the router

Control plane CEF-exception subinterface: This control plane subinterface receives all traffic that is either redirected as a result of a configured input feature in the CEF packet forwarding path for process switching or directly enqueued in the control plane input queue by the interface driver (that is, ARP, external BGP (eBGP), OSPF, LDP, Layer 2 keepalives, and all non-IP host traffic)

You may apply a separate rate-limiting policy to any of the sub-interface or have a single aggregate policy embracing all subinterfaces (classic control plane policing). It is possible to configure both the subinterface and aggregate policy, but is better configuring either aggregate or subinterface specific policies.

• Scenario:

Develop CPPr Configuration for Host Subinterface 

1. Identify the necessary protocols that is transiting the network.

• Known Undesirable: Malicious traffic that is expected yet undesirable (for example, IP fragments); this traffic should never reach the route processor/CPU and thus should always be dropped. 
• Critical Traffic: This includes traffic, such as routing protocol traffic (for example, iBGP, EIGRP), that is absolutely necessary and should never be dropped or rate limited. 
• Important Traffic: Management plane traffic (for example, SNMP, SSH, AAA, NTP) that is expected and required to reach the route processor/CPU but may need to be rate limited. 
• Normal Traffic: Includes other expected nonmalicious traffic (for example, ping and other ICMP types: ttl-exceeded, port-unreachable, etc.) that is necessary but should be rate limited. 
• Reactive Undesirable: Used for "exploit of the day" type of traffic; it should be used for reactive handling of potentially malicious traffic (such as vulnerabilities) and should always result in dropping the traffic. 
• Catch-all: Remaining unclassified IP traffic, which should be rate limited.
• Default: Non-IP traffic, which may need to be rate limited.

ip access-list extended known-undesirable-acl
   permit tcp any any fragments
   permit udp any any fragments
   permit icmp any any fragments
   permit ip any any fragments

ip access-list extended critical-acl
   ! iBGP peers
   permit tcp 10.0.0.0 0.0.0.255 gt 1024 10.0.0.0 0.0.0.255 eq bgp
   permit tcp 10.0.0.0 0.0.0.255 eq bgp 10.0.0.0 0.0.0.255 gt 1024
   ! eBGP peers
   permit tcp 180.180.180.0 0.0.0.255 gt 1024 180.180.180.0 0.0.0.255 eq bgp
   permit tcp 180.180.180.0 0.0.0.255 eq bgp 180.180.180.0 0.0.0.255 gt 1024

ip access-list extended important-acl
    permit tcp 10.0.0.0 0.0.0.255 eq 22 any established
    permit tcp 10.0.0.0 0.0.0.255 any eq 22
    permit tcp host 10.0.0.3 eq tacacs 10.10.10.0 0.0.0.255 established
    permit udp 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 eq snmp

ip access-list extended normal-acl
    permit icmp any any ttl-exceeded
    permit icmp any any port-unreachable
    permit icmp any any echo-reply
    permit icmp any any echo
    permit icmp any any packet-too-big

ip access-list extended reactive-undesirable-acl
    permit tcp any any eq 445

ip access-list extended catch-all-acl
    permit tcp any any
    permit udp any any
    permit icmp any any
    permit ip any any

    2. Create the class-maps

class-map match-all CPPr-host-known-undesirable
    match access-group name known-undesirable-acl
class-map match-all CPPr-host-critical
    match access-group name critical-acl
class-map match-all CPPr-host-important
    match access-group name important-acl
class-map match-any CPPr-host-normal
    match access-group name normal-acl
class-map match-any CPPr-host-reactive-undesirable
    match access-group name reactive-undesirable-acl
class-map match-any CPPr-host-catch-all
    match access-group name catch-all-acl

3. Create the policy map

policy-map CPPr-host
class CPPr-host-known-undesirable
drop
class CPPr-host-critical
! no operation specified – no rate-limit
class CPPr-host-important
police 10000 conform-action transmit exceed-action drop
class CPPr-host-normal
police 15000 conform-action transmit exceed-action drop
class CPPr-host-reactive-undesirable
drop
class CPPr-host-catch-all
police 30000 conform-action transmit exceed-action drop

4. Apply the policy to the CPPr Host Subinterface

control-plane host
 service-policy input CPPr-host

Verification:

R3#show control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
 tcp                 *:23                  *:0                   Telnet   LISTEN
 tcp              *:26388    180.180.180.1:179                      BGP ESTABLIS
 tcp                *:179                  *:0                      BGP   LISTEN
 tcp                *:179                  *:0                      BGP   LISTEN
 tcp                *:179                  *:0                      BGP   LISTEN
 tcp                *:179                  *:0                      BGP   LISTEN
 tcp              *:45491         10.0.0.2:179                      BGP ESTABLIS
 tcp              *:23037         10.0.0.1:179                      BGP ESTABLIS

R3#show control-plane co
R3#show control-plane counters
Feature Path             Packets processed/dropped/errors              
Aggregate                    4549/0/0
Host                         1004/0/0
Transit                         0/0/0
Cef-exception                3545/0/0

 R3#show policy-map control-plane all
 Control Plane Host
  Service-policy input: CPPr-host
    Class-map: CPPr-host-known-undesirable (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name known-undesirable-acl
      drop
    Class-map: CPPr-host-critical (match-all)
      6 packets, 438 bytes
      5 minute offered rate 0 bps
      Match: access-group name critical-acl
    Class-map: CPPr-host-important (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name important-acl
      police:
          cir 10000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps
    Class-map: CPPr-host-normal (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name normal-acl
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 15000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps
    Class-map: CPPr-host-reactive-undesirable (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name reactive-undesirable-acl
        0 packets, 0 bytes
        5 minute rate 0 bps
      drop
    Class-map: CPPr-host-catch-all (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name catch-all-acl
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 30000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any