CONTROL PLANE POLICING CoPP Help Needed

Answered Question
Jul 11th, 2009

I have a 7600 with dual RSP720s.

I want to deploy a CoPP policy.

Question:

1.) Should the destination address of the ACLs that classify the traffic be the address of the MSFC? In this case, what I mean by the MSFC is the mangment IP address of the RSP720 module. if not, which address am I trying to protect?

This is the applicable RSP config of the router:

interface GigabitEthernet5/1

description Mgmt Interface - RSP720 Engine Slot 5

ip address 10.41.248.3 255.255.255.0

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 5 months ago

Hello Victor,

sorry I didn't want to mean you hadn't looked at documentation!

As Istavan suggests you have the freedom to choice how much tight is the control you perform.

Just one hint about SNMP and other management protocols:

in a modular chassis like this inter modules communication may happen with IP packets usually using loopback addresses like 127.0.0.x.

First time we enabled receive ACL on a GSR we were able to isolate the GRP and the linecard modules on the same chassis!

I don't know if CoPP is smarter under this aspect.

However, I think you need to provide for the SSO communication between the two supervisors putting it on critical traffic unless it uses some form of out of band communication

Hope to help

Giuseppe

Correct Answer by Istvan_Rabai about 7 years 5 months ago

Hi Victor,

It's not mandatory to configure a specific destination address for each type of traffic.

You can define the type of traffic with generalized source and destination, in case of BGP for example:

permit tcp any any eq bgp

permit tcp any eq bgp any

and so on.

If you define very specific ip host addresses in the ROUTING_TRAFFIC ACL then CRITICAL_TRAFFIC policing will be applied to those flows only.

Other possible BGP flows that are not included in the ROUTING_TRAFFIC ACL will then be classifed by the GENERAL_TRAFFIC ACL, and will be policed accordingly.

Cheers:

Istvan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Giuseppe Larosa Sat, 07/11/2009 - 20:09

Hello Victor,

CoPP action is not limited to management interface and its IP address.

you need to take in account all the legitimate routing protocol sessions for example, the idea is to define what is permitted and also to apply if desired a policer to each traffic class.

In this sense CoPP extends over the receive-ACL concept.

see

http://www.cisco.com/en/US/partner/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1141780

or

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1141780

your control can be as fine as to define who are the legitimate BGP peers and what is the local endpoint for sessions and to decide how many BGP packets you accept to send to cpu.

What is the effect:

I saw this with receive ACL:

the ACL had to be customized for each single node.

With CoPP you can decide to deploy a tighter or looser control.

Take also in account the hardware based rate-limiters and the ARP qoS policy

http://www.cisco.com/en/US/partner/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1141055

or

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1141055

Hope to help

Giuseppe

lamav Sat, 07/11/2009 - 20:22

G:

I know most of what youre saying...

My question is very specific...

What destination address do you use for the diferent tyes of traffic? What I have configured for BGP traffic is the BGP interface address. For OSPF, its obvious, and for MGMT its the loopback.

Here is my copp policy so far...

ip access-list extended ROUTING_TRAFFIC

remark CoPP BGP and OSPF Traffic Class

permit tcp host 66.192.62.1 gt 1024 host 64.13.44.104 eq bgp

permit tcp host 66.192.62.1 eq BGP host 64.13.44.104 gt 1024 established

permit ospf any host 224.0.0.5

permit ospf any host 224.0.0.6

ip access-list extended MANAGEMENT_TRAFFIC

remark CoPP for Network Management Traffic

permit udp host 10.41.248.129 host 64.13.44.104 eq snmp

permit udp host 10.41.168.24 host 64.13.44.104 eq ntp

permit udp host 10.41.168.130 host 64.13.44.104 eq syslog

permit tcp any gt 1024 any eq SSH

permit tcp any eq SSH any gt 1024 established

ip access-list extended ICMP_TRAFFIC

remark CoPP for ICMP Traffic

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any packet-too-big

permit icmp any any port-unreachable

permit icmp any any unreachable

ip access-list extended UNDESIRABLE_TRAFFIC

remark CoPP for All Potentially Malicious Traffic

permit icmp any any fragments

permit udp any any fragments

permit tcp any any fragments

permit ip any any fragments

permit udp any any eq 1434

permit tcp any any eq bgp rst

ip access-list extended GENERAL_TRAFFIC

remark CoPP for General Traffic

permit ip any any

class-map CRITICAL_TRAFFIC

description ROUTING UPDATES

match access-group ROUTING_TRAFFIC

class-map IMPORTANT_TRAFFIC

description MANAGEMENT TRAFFIC

match access-group MANAGEMENT_TRAFFIC

class-map NORMAL_TRAFFIC

description ICMP TRAFFIC

match access-group ICMP_TRAFFIC

class-map UNDESIRABLE_TRAFFIC

description MALICIOUS TRAFFIC

match access-group UNDESIRABLE_TRAFFIC

class-map GENERAL_TRAFFIC

description ALL OTHER TRAFFIC

match access-group GENERAL_TRAFFIC

Correct Answer
Istvan_Rabai Sat, 07/11/2009 - 22:11

Hi Victor,

It's not mandatory to configure a specific destination address for each type of traffic.

You can define the type of traffic with generalized source and destination, in case of BGP for example:

permit tcp any any eq bgp

permit tcp any eq bgp any

and so on.

If you define very specific ip host addresses in the ROUTING_TRAFFIC ACL then CRITICAL_TRAFFIC policing will be applied to those flows only.

Other possible BGP flows that are not included in the ROUTING_TRAFFIC ACL will then be classifed by the GENERAL_TRAFFIC ACL, and will be policed accordingly.

Cheers:

Istvan

Correct Answer
Giuseppe Larosa Sat, 07/11/2009 - 23:13

Hello Victor,

sorry I didn't want to mean you hadn't looked at documentation!

As Istavan suggests you have the freedom to choice how much tight is the control you perform.

Just one hint about SNMP and other management protocols:

in a modular chassis like this inter modules communication may happen with IP packets usually using loopback addresses like 127.0.0.x.

First time we enabled receive ACL on a GSR we were able to isolate the GRP and the linecard modules on the same chassis!

I don't know if CoPP is smarter under this aspect.

However, I think you need to provide for the SSO communication between the two supervisors putting it on critical traffic unless it uses some form of out of band communication

Hope to help

Giuseppe

lamav Sun, 07/12/2009 - 06:21

Guys, great answers...very helpful...appreciate the time and info.

Thanks

Victor

Actions

This Discussion