Control plane policing and protection
Control Plane Policing
Control Plane Protection
General information on “Control plane policing and protection (CoPP/CPPr)":
- Used to protect the router/switch CPU against a DoS attack and to limit control plane traffic
- Configuration is done like QoS with class-maps and policy-maps
- Applied under the control-planecommand set
- Unlike in QoS, NBAR can’t be used for CoPP/CPPr
- Policing/Protection can be done in four ways:
- For the whole control-plane: No additional keyword necessary
- For transit control-plane traffic: Using the control-plane transitcommand
- For host-destined control-plane traffic: Using the control-plane hostcommand
- For cef-exception control-plane traffic: Using the control-plane cef-exceptioncommand
- Applying a policy to the whole control-plane is referred to as CoPP (Control Plane Policing)
- Applying a policy to a specific sub-interface is referred to as CPPr (Control Plane Protection)
- The main difference between CoPP and CPPr is its granularity
-
Important: When creating an ACL and traffic from a specific host/subnet needs to be allowed, thedenystatement needs to be used to exclude the host/subnet from matching within the class-map!
“CoPP/CPPr” CLI configuration commands:
## Defining an ACL for class-map matching:
Router(config)# [ip | ipv6] access-list [ACL NAME]
## Defining a class-map matching an ACL:
Router(config)# class-map [match-all | match-any] [NAME]
Router(config-cmap)# match access-group [ACL NAME]
## Defining a policy-map with traffic action (example: drop all traffic):
Router(config)# policy-map [NAME]
Router(config-pmap)# class [CLASS-MAP-NAME]
Router(config-pmap-c)# drop
## Applying the policy-map to the control-plane:
Router(config)# control-plane [host | transit | cef-exception]
Router(config-cp-host)# service-policy input [POLICY-MAP-NAME]
“CoPP/CPPr” CLI show commands:
## Showing currently configured CoPP/CPPr features
Router# show control-plane features