Control Plane Policing (CoPP) for Data Center

Unanswered Question
May 24th, 2010

Hi All,

I am planning to apply CoPP on different routers and switches of Data Center. This Data Center comprises of Cisco 6513 (VSS), Catalyst 3750, Cisco 3845 and Cisco 2811.

My question are:

1. Do we have to apply CoPP on Catalyst 3750, as these are DMZ switches only?

2. How to find the packet processing rate from router and switches?

3. Any best practices CoPP template for routers running OSPF and BGP?

Thanks and Regards,
Ahmed.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
Panos Kampanakis Tue, 05/25/2010 - 14:20

1. You would need to apply CoPP to all routers/switches that are manageable from untrusted sites. So even if you have non-DMZ switches that will be able to be telneted to from the outside for example, CoPPing them would be helpful for you.

2. "sh proc cpu" would give you some insight for processes like ssh or telnet and how much the take. Not control packet rate processing though.

3. Depends on how powerful the router is, how many commands you are running, how much route processing is going on.

I hope it helps.

PK

Ahmed Shahzad Tue, 05/25/2010 - 17:56

Thanks for your response.

1. You would need to apply CoPP to all routers/switches that are  manageable from untrusted sites. So even if you have non-DMZ switches  that will be able to be telneted to from the outside for example,  CoPPing them would be helpful for you.

Do we not need to apply CoPP on switches and routers that are not telneted from outside?

2. "sh proc cpu" would give you some  insight for processes like ssh or telnet and how much the take. Not  control packet rate processing though.

I want to know the maximum packet processing rate of a router or switch?

3. Depends on how powerful the  router is, how many commands you are running, how much route processing  is going on.

Best practice for a router running OSPF with 200 routes?

Thanks and Regards,
Shahzad.

Panos Kampanakis Wed, 05/26/2010 - 11:18

1. You would need to apply CoPP to all routers/switches that are  manageable from untrusted sites. So even if you have non-DMZ switches  that will be able to be telneted to from the outside for example,  CoPPing them would be helpful for you.

Do we not need to apply CoPP on switches and routers that are not telneted from outside?

Control plan traffic is traffic that goes to the control plane of the router like management traffic, snmp etc. If there is a firewall securing you from the outside I would feel my switches are more secure and it is not easy to bring them to their knees with an attacker doing too much from the outside. Control plane policing applies to all control plane traffic, but it is mostly against outsiders that someone would try to protect himself.

2. "sh proc cpu" would give you some  insight for processes like ssh or telnet and how much the take. Not  control packet rate processing though.

I want to know the maximum packet processing rate of a router or switch?

I don't think you will be able to pull that number.

3. Depends on how powerful the  router is, how many commands you are running, how much route processing  is going on.

Best practice for a router running OSPF with 200 routes?

Don't know of any.

PK

Ahmed Shahzad Wed, 05/26/2010 - 17:01

Hi PK,

Thanks for your response.

I have found a document which could brief us the router performance matrix including process switching and fast switching (PPS and Mbps), and I would like to share:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

Secondly I would like to apply CoPP on the core switch (Catalyst 6513 - VSS) which is behind the firewall, but I am wondering that at any point of time my internal server can also generate some attack on it, so would like to apply CoPP on it.

Also I found a best practice document for Control plane policy, which I also like to share:

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

Thanks and Regards,
Ahmed.

Ahmed Shahzad Wed, 05/26/2010 - 17:29

Hi Experts,

I am reading the CoPP best practice document (http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html), and confuse with the given below ACLs statements:

access-list 121 permit tcp   eq 22
access-list 121 permit tcp eq 22 established

I am thinking that second statement should be like:

access-list 121 permit tcp  eq 22  established

Thanks and Regards,
Ahmed Shahzad.

Panos Kampanakis Thu, 05/27/2010 - 07:29
access-list 121 permit tcp   eq 22
access-list 121 permit tcp eq 22 established

is correct.

The first line matches packets that are from your NOC ip addresses to the router on port 22 for management.

The second is for return traffic (establish keyword) that was sourced from your router destined to NOC for port 22, probably NOC management from the router side.

I hope it makes sense.

PK

Ahmed Shahzad Thu, 05/27/2010 - 16:46

Hi PK,

access-list 121 permit tcp   eq 22
access-list 121 permit tcp eq 22 established

First line of this ACL is very cleared to me, but I am concerned about the second line. It says Source is NOC block and sourcing from port 22 and destined to Router Receive block and established connections?

I belive it should be like:

access-list 121 permit tcp 22 established

Thanks and Regards,

Ahmed Shahzad.

Actions

This Discussion

Related Content