Showing posts with label IOS CPPr. Show all posts
Showing posts with label IOS CPPr. Show all posts

Friday, 3 May 2013

Service TCP Keepalives and Slective Packet Discard

CPPr includes the following additional control plane protection features:


  • The port-filtering feature provides for policing/dropping of packets going to closed or nonlistening TCP/UDP ports 
   TCP keepalives
Router1# config term
Router1(config)# service tcp-keepalives-in
Router1(config)# service tcp-keepalives-out
Router1(config)# end

  •   Queue thresholding limits the number of packets for a specified protocol that will be allowed in the control plane IP input queue
 Selective Packet Discard (SPD) is a mechanism to manage the process level input queues on the Route Processor (RP). The goal of SPD is to provide priority to routing protocol packets and other important traffic control Layer 2 keepalives during periods of process level queue congestion. 

 

Layer 2 keepalives and IGP packets go to the SPD Extended Headroom. If there
is no space available in the SPD Extended Headroom, packets go to the SPD
Headroom. As a last resort, if both the Extended Headroom and Headroom are
full, these packets go to the regular Hold Queue. BGP updates go directly to
SPD Headroom. If the SPD Headroom is full, BGP packets hit the Hold Queue.
All other IP packets (malformed or process-switched) go to the Hold Queue. The
result is that L2 Keepalive/IGP packets are serviced first, BGP next, and other
packets last.

  • Input queue
 The input queue is maintained per hardware interface, shared amongst all subinterfaces.
 The default input queue size is 75 and is configurable per interface using the hold-queue [size] in interface configuration command. The number of packets in the input queue can be seen in the "input queue" field in the show interfaces command. 

  • SPD headroom
 The default SPD headroom size is 100(1000 in new IOS version) and is configurable using the command spd headroom.
 Its current level can be seen in the output of the commands show spd or show ip spd

  • Extended SPD Headroom
    The default Extended SPD headroom size is 10 and is configurable using the spd extended [size] command, and its current level can be seen from the output of the show spd or show ip spd command

  •   SPD State Check
The general packet queue can be in three states and, as such, the low priority packets may be serviced differently:

  • NORMAL: queue size <= min
  • RANDOM DROP: min <= queue size <= max
  • FULL DROP: max <= queue size
     
The default min-threshold is 73 and is configurable using command
ip spd queue min-threshold

The default max-threshold is 74 and is configurable using command
 ip spd queue max-threshold  
  •  Aggressive mode
 SPD can be configured for two different modes: normal (default) and aggressive. The only difference between the two is how the router accounts for invalid IP packets (invalid checksum, incorrect version, incorrect header length, incorrect packet length). Malformed IP packets are dropped by SPD when we are in aggessive mode and in the Random drop state. Aggressive mode can be configured using the command. 
ip spd mode aggressive 
Posted by at No comments:
Labels:

Thursday, 2 May 2013

Control Plane Policing vs. Control Plane Protection


  • CoPP
Networks function to carry data plane (user-generated) packets. Networks are also created and operated by control plane and management plane packets. Unlike legacy network technologies such as ISDN, Frame Relay, and ATM that defined separate data and control channels, IP carries all packets within a single pipe. Thus, IP network devices such as routers and switches must be able to distinguish between data plane, control plane, and management plane packets to treat each packet appropriately.


From an IP traffic plane perspective, packets may be divided into four distinct, logical groups:
  • Data plane packets – End-station, user-generated packets that are always forwarded by network devices to other end-station devices. 
  • Control plane packets – Network device generated or received packets that are used for the creation and operation of the network itself. Examples include protocols such as ARP, BGP, OSPF, and other protocols that glue the network together. 
  • Management plane packets – Network device generated or received packets, or management station generated or received packets that are used to manage the network. Examples include protocols such as Telnet, Secure Shell (SSH), TFTP, SNMP, FTP, NTP, and other protocols used to manage the device and/or network. 
  • Services plane packets – A special case of data plane packets, services plane packets are also user-generated packets that are also forwarded by network devices to other end-station devices, but that require high-touch handling by the network device (above and beyond normal, destination IP address-based forwarding) to forward the packet. Examples of high-touch handling include such functions as GRE encapsulation, QoS, MPLS VPNs, and SSL/IPsec encryption/decryption, etc.
From the local perspective of the network device, three general types of packets exist:
  • Transit packets – These include data plane and some services plane packets that are subjected to standard, destination IP-based forwarding functions. 
  • Receive packets – These include control plane and management plane packets that are destined to the network device itself. Receive packets must be handled by the CPU within the route processor, as they are ultimately destined to and handled by applications running at the process level within IOS.
  • Exception IP and Non-IP packets – One special set of packets includes both exception IP packets and non-IP packets. Exception IP packets include, for example, IPv4 packets containing IP header options, IP packet TTL expires, and IP packets with unreachable destinations. Layer 2 keepalives, ISIS packets, Cisco Discovery Protocol (CDP) packets, and PPP Link Control Protocol (LCP) packets are examples of non-IP packets. All of the packets in this set must be handled by the route processor.
Control Plane Policing (CoPP) is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance. 

CoPP protects the route processor on network devices by treating route processor resources as a separate entity with its own ingress interface (and in some implementations, egress also). Because of this behavior, a CoPP policy can be developed and applied only to those packets within the control plane.
  • CPPr
Starting with Cisco IOS Software release 12.4(4)T, Control Plane Protection (CPPr) was introduced.
CPPr divides the aggregate control plane into three separate control plane categories, known as subinterfaces: (1) host, (2) transit, and (3) CEF-exception. In addition, CPPr includes the following additional control plane protection features:

  • The port-filtering feature provides for policing/dropping of packets going to closed or nonlistening TCP/UDP ports 
  • Queue thresholding limits the number of packets for a specified protocol that will be allowed in the control plane IP input queue
Control plane host subinterface: This interface receives all control plane IP traffic that is directly destined for one of the router interfaces (physical and loopback). Examples of control plane host IP traffic include tunnel termination traffic; management traffic; and routing protocols.

Control plane transit subinterface: This subinterface receives all control plane IP traffic that is software switched by the route processor. This traffic consists of packets that are not directly destined to the router itself but rather are traffic traversing through the router

Control plane CEF-exception subinterface: This control plane subinterface receives all traffic that is either redirected as a result of a configured input feature in the CEF packet forwarding path for process switching or directly enqueued in the control plane input queue by the interface driver (that is, ARP, external BGP (eBGP), OSPF, LDP, Layer 2 keepalives, and all non-IP host traffic)

You may apply a separate rate-limiting policy to any of the sub-interface or have a single aggregate policy embracing all subinterfaces (classic control plane policing). It is possible to configure both the subinterface and aggregate policy, but is better configuring either aggregate or subinterface specific policies.

  • Scenario:
Develop CPPr Configuration for Host Subinterface 
  1. Identify the necessary protocols that is transiting the network.
    • Known Undesirable: Malicious traffic that is expected yet undesirable (for example, IP fragments); this traffic should never reach the route processor/CPU and thus should always be dropped. 
    • Critical Traffic: This includes traffic, such as routing protocol traffic (for example, iBGP, EIGRP), that is absolutely necessary and should never be dropped or rate limited. 
    • Important Traffic: Management plane traffic (for example, SNMP, SSH, AAA, NTP) that is expected and required to reach the route processor/CPU but may need to be rate limited. 
    • Normal Traffic: Includes other expected nonmalicious traffic (for example, ping and other ICMP types: ttl-exceeded, port-unreachable, etc.) that is necessary but should be rate limited. 
    • Reactive Undesirable: Used for "exploit of the day" type of traffic; it should be used for reactive handling of potentially malicious traffic (such as vulnerabilities) and should always result in dropping the traffic. 
    • Catch-all: Remaining unclassified IP traffic, which should be rate limited.
    • Default: Non-IP traffic, which may need to be rate limited.

ip access-list extended known-undesirable-acl
   permit tcp any any fragments
   permit udp any any fragments
   permit icmp any any fragments
   permit ip any any fragments

ip access-list extended critical-acl
   ! iBGP peers
   permit tcp 10.0.0.0 0.0.0.255 gt 1024 10.0.0.0 0.0.0.255 eq bgp
   permit tcp 10.0.0.0 0.0.0.255 eq bgp 10.0.0.0 0.0.0.255 gt 1024
   ! eBGP peers
   permit tcp 180.180.180.0 0.0.0.255 gt 1024 180.180.180.0 0.0.0.255 eq bgp
   permit tcp 180.180.180.0 0.0.0.255 eq bgp 180.180.180.0 0.0.0.255 gt 1024

ip access-list extended important-acl
    permit tcp 10.0.0.0 0.0.0.255 eq 22 any established
    permit tcp 10.0.0.0 0.0.0.255 any eq 22
    permit tcp host 10.0.0.3 eq tacacs 10.10.10.0 0.0.0.255 established
    permit udp 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 eq snmp

ip access-list extended normal-acl
    permit icmp any any ttl-exceeded
    permit icmp any any port-unreachable
    permit icmp any any echo-reply
    permit icmp any any echo
    permit icmp any any packet-too-big

ip access-list extended reactive-undesirable-acl
    permit tcp any any eq 445

ip access-list extended catch-all-acl
    permit tcp any any
    permit udp any any
    permit icmp any any
    permit ip any any

    2. Create the class-maps
class-map match-all CPPr-host-known-undesirable
    match access-group name known-undesirable-acl
class-map match-all CPPr-host-critical
    match access-group name critical-acl
class-map match-all CPPr-host-important
    match access-group name important-acl
class-map match-any CPPr-host-normal
    match access-group name normal-acl
class-map match-any CPPr-host-reactive-undesirable
    match access-group name reactive-undesirable-acl
class-map match-any CPPr-host-catch-all
    match access-group name catch-all-acl

3. Create the policy map
policy-map CPPr-host
class CPPr-host-known-undesirable
drop
class CPPr-host-critical
! no operation specified – no rate-limit
class CPPr-host-important
police 10000 conform-action transmit exceed-action drop
class CPPr-host-normal
police 15000 conform-action transmit exceed-action drop
class CPPr-host-reactive-undesirable
drop
class CPPr-host-catch-all
police 30000 conform-action transmit exceed-action drop

4. Apply the policy to the CPPr Host Subinterface
control-plane host
 service-policy input CPPr-host

Verification:
R3#show control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
 tcp                 *:23                  *:0                   Telnet   LISTEN
 tcp              *:26388    180.180.180.1:179                      BGP ESTABLIS
 tcp                *:179                  *:0                      BGP   LISTEN
 tcp                *:179                  *:0                      BGP   LISTEN
 tcp                *:179                  *:0                      BGP   LISTEN
 tcp                *:179                  *:0                      BGP   LISTEN
 tcp              *:45491         10.0.0.2:179                      BGP ESTABLIS
 tcp              *:23037         10.0.0.1:179                      BGP ESTABLIS


R3#show control-plane co
R3#show control-plane counters
Feature Path             Packets processed/dropped/errors              
Aggregate                    4549/0/0
Host                         1004/0/0
Transit                         0/0/0
Cef-exception                3545/0/0


 R3#show policy-map control-plane all
 Control Plane Host
  Service-policy input: CPPr-host
    Class-map: CPPr-host-known-undesirable (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name known-undesirable-acl
      drop
    Class-map: CPPr-host-critical (match-all)
      6 packets, 438 bytes
      5 minute offered rate 0 bps
      Match: access-group name critical-acl
    Class-map: CPPr-host-important (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name important-acl
      police:
          cir 10000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps
    Class-map: CPPr-host-normal (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name normal-acl
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 15000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps
    Class-map: CPPr-host-reactive-undesirable (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name reactive-undesirable-acl
        0 packets, 0 bytes
        5 minute rate 0 bps
      drop
    Class-map: CPPr-host-catch-all (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name catch-all-acl
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 30000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 



Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)