Control Plane Protection is Cisco IOS

Document

Mon, 12/05/2011 - 23:26
Dec 5th, 2011
User Badges:
  • Silver, 250 points or more


Introduction


This document explains the concept of Control Plane Protection is Cisco.

Prerequisites


Router running Firewal Feature set.

Concept


Control Plane Protection is Cisco IOS feature aimed at preventing infrastructure attacks, i-e attacks targeting at the router itself. Control plane implements routing and management protocols, such as OSPF, BGP, RIP, SNMP, SSH, Telnet and so on.


The most common and typical attacks against control plane are of resource exhaustion type. That is target at depleting router's resources and causing service denial. On most IOS platforms control plane run central Route Processor(CPU) in parallel with asynchronus packet switching. Packet routing is commonly implemented using CEF switching path during hardware interrupt processing task. All packets directed to the control (like routing updates, keepalives, SSH/SNMP session) plane are handled using process-switching which is most CPU intensive.


Configuration



Please refer the following sample control plane policing


ip access-list extended BGP

permit tcp any any eq bgp

class-map BGP

match access-group name BGP

policy-map Control-Plane

class BGP

police rate 2000 pps burst 100 packets


control-plane

service-policy input Control-Plane

ip access-list extended BGP

permit tcp any any eq bgp

class-map BGP

match access-group name BGP

policy-map Control-Plane

class BGP

police rate 2000 pps burst 100 packets

control-plane

service-policy input Control-Plane

Verify


ROUTER1#show policy-map Control-Plane

Control Plane


Service-policy input: Control-Plane


Class-map: BGP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name BGP

police:

rate 2000 pps, burst 100 packets

conformed 0 packets; actions:

transmit

exceeded 0 packets; actions:

drop

conformed 0 pps, exceed 0 pps


Class-map: class-default (match-any)

5 packets, 450 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any



Please note that in the above configuration the police command specifies rate in packets per seconds and the burst size in packets. This type of the police command is only applicable to the control-plane policy. In addition to the inputpolicy, you can configure output policing as well and limit the rate of the packets produced by the routers control plane.


Hope this document is informative for you and i want to thank you for your time.



Loading.

Actions

This Document

Related Content