07-11-2009 06:54 PM - edited 03-06-2019 06:42 AM
I have a 7600 with dual RSP720s.
I want to deploy a CoPP policy.
Question:
1.) Should the destination address of the ACLs that classify the traffic be the address of the MSFC? In this case, what I mean by the MSFC is the mangment IP address of the RSP720 module. if not, which address am I trying to protect?
This is the applicable RSP config of the router:
interface GigabitEthernet5/1
description Mgmt Interface - RSP720 Engine Slot 5
ip address 10.41.248.3 255.255.255.0
Solved! Go to Solution.
07-11-2009 10:11 PM
Hi Victor,
It's not mandatory to configure a specific destination address for each type of traffic.
You can define the type of traffic with generalized source and destination, in case of BGP for example:
permit tcp any any eq bgp
permit tcp any eq bgp any
and so on.
If you define very specific ip host addresses in the ROUTING_TRAFFIC ACL then CRITICAL_TRAFFIC policing will be applied to those flows only.
Other possible BGP flows that are not included in the ROUTING_TRAFFIC ACL will then be classifed by the GENERAL_TRAFFIC ACL, and will be policed accordingly.
Cheers:
Istvan
07-11-2009 11:13 PM
Hello Victor,
sorry I didn't want to mean you hadn't looked at documentation!
As Istavan suggests you have the freedom to choice how much tight is the control you perform.
Just one hint about SNMP and other management protocols:
in a modular chassis like this inter modules communication may happen with IP packets usually using loopback addresses like 127.0.0.x.
First time we enabled receive ACL on a GSR we were able to isolate the GRP and the linecard modules on the same chassis!
I don't know if CoPP is smarter under this aspect.
However, I think you need to provide for the SSO communication between the two supervisors putting it on critical traffic unless it uses some form of out of band communication
Hope to help
Giuseppe
07-11-2009 08:09 PM
Hello Victor,
CoPP action is not limited to management interface and its IP address.
you need to take in account all the legitimate routing protocol sessions for example, the idea is to define what is permitted and also to apply if desired a policer to each traffic class.
In this sense CoPP extends over the receive-ACL concept.
see
or
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1141780
your control can be as fine as to define who are the legitimate BGP peers and what is the local endpoint for sessions and to decide how many BGP packets you accept to send to cpu.
What is the effect:
I saw this with receive ACL:
the ACL had to be customized for each single node.
With CoPP you can decide to deploy a tighter or looser control.
Take also in account the hardware based rate-limiters and the ARP qoS policy
or
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1141055
Hope to help
Giuseppe
07-11-2009 08:22 PM
G:
I know most of what youre saying...
My question is very specific...
What destination address do you use for the diferent tyes of traffic? What I have configured for BGP traffic is the BGP interface address. For OSPF, its obvious, and for MGMT its the loopback.
Here is my copp policy so far...
ip access-list extended ROUTING_TRAFFIC
remark CoPP BGP and OSPF Traffic Class
permit tcp host 66.192.62.1 gt 1024 host 64.13.44.104 eq bgp
permit tcp host 66.192.62.1 eq BGP host 64.13.44.104 gt 1024 established
permit ospf any host 224.0.0.5
permit ospf any host 224.0.0.6
ip access-list extended MANAGEMENT_TRAFFIC
remark CoPP for Network Management Traffic
permit udp host 10.41.248.129 host 64.13.44.104 eq snmp
permit udp host 10.41.168.24 host 64.13.44.104 eq ntp
permit udp host 10.41.168.130 host 64.13.44.104 eq syslog
permit tcp any gt 1024 any eq SSH
permit tcp any eq SSH any gt 1024 established
ip access-list extended ICMP_TRAFFIC
remark CoPP for ICMP Traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any port-unreachable
permit icmp any any unreachable
ip access-list extended UNDESIRABLE_TRAFFIC
remark CoPP for All Potentially Malicious Traffic
permit icmp any any fragments
permit udp any any fragments
permit tcp any any fragments
permit ip any any fragments
permit udp any any eq 1434
permit tcp any any eq bgp rst
ip access-list extended GENERAL_TRAFFIC
remark CoPP for General Traffic
permit ip any any
class-map CRITICAL_TRAFFIC
description ROUTING UPDATES
match access-group ROUTING_TRAFFIC
class-map IMPORTANT_TRAFFIC
description MANAGEMENT TRAFFIC
match access-group MANAGEMENT_TRAFFIC
class-map NORMAL_TRAFFIC
description ICMP TRAFFIC
match access-group ICMP_TRAFFIC
class-map UNDESIRABLE_TRAFFIC
description MALICIOUS TRAFFIC
match access-group UNDESIRABLE_TRAFFIC
class-map GENERAL_TRAFFIC
description ALL OTHER TRAFFIC
match access-group GENERAL_TRAFFIC
07-11-2009 10:11 PM
Hi Victor,
It's not mandatory to configure a specific destination address for each type of traffic.
You can define the type of traffic with generalized source and destination, in case of BGP for example:
permit tcp any any eq bgp
permit tcp any eq bgp any
and so on.
If you define very specific ip host addresses in the ROUTING_TRAFFIC ACL then CRITICAL_TRAFFIC policing will be applied to those flows only.
Other possible BGP flows that are not included in the ROUTING_TRAFFIC ACL will then be classifed by the GENERAL_TRAFFIC ACL, and will be policed accordingly.
Cheers:
Istvan
07-11-2009 11:13 PM
Hello Victor,
sorry I didn't want to mean you hadn't looked at documentation!
As Istavan suggests you have the freedom to choice how much tight is the control you perform.
Just one hint about SNMP and other management protocols:
in a modular chassis like this inter modules communication may happen with IP packets usually using loopback addresses like 127.0.0.x.
First time we enabled receive ACL on a GSR we were able to isolate the GRP and the linecard modules on the same chassis!
I don't know if CoPP is smarter under this aspect.
However, I think you need to provide for the SSO communication between the two supervisors putting it on critical traffic unless it uses some form of out of band communication
Hope to help
Giuseppe
07-12-2009 06:21 AM
Guys, great answers...very helpful...appreciate the time and info.
Thanks
Victor
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: