Control Plane Protection is Cisco IOS

Document

Dec 5, 2011 11:11 PM
Dec 5th, 2011

Introduction

This document explains the concept of Control Plane Protection is Cisco.

Prerequisites

Router running Firewal Feature set.

1. Concept

Control Plane Protection is Cisco IOS feature aimed at preventing infrastructure attacks, i-e attacks targeting at the router itself. Control plane implements routing and management protocols, such as OSPF, BGP, RIP, SNMP, SSH, Telnet and so on.

The most common and typical attacks against control plane are of resource exhaustion type. That is target at depleting router's resources and causing service denial. On most IOS platforms control plane run central Route Processor(CPU) in parallel with asynchronus packet switching. Packet routing is commonly implemented using CEF switching path during hardware interrupt processing task. All packets directed to the control (like routing updates, keepalives, SSH/SNMP session) plane are handled using process-switching which is most CPU intensive.

2.

Configuration

Please refer the following sample control plane policing

ip access-list extended BGP

permit tcp any any eq bgp

class-map BGP

match access-group name BGP

policy-map Control-Plane

class BGP

police rate 2000 pps burst 100 packets

control-plane

service-policy input Control-Plane

ip access-list extended BGP

permit tcp any any eq bgp

class-map BGP

match access-group name BGP

policy-map Control-Plane

class BGP

police rate 2000 pps burst 100 packets

control-plane

service-policy input Control-Plane

Verify

ROUTER1#show policy-map Control-Plane

Control Plane

Service-policy input: Control-Plane

Class-map: BGP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name BGP

police:

rate 2000 pps, burst 100 packets

conformed 0 packets; actions:

transmit

exceeded 0 packets; actions:

drop

conformed 0 pps, exceed 0 pps

Class-map: class-default (match-any)

5 packets, 450 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Please note that in the above configuration the police command specifies rate in packets per seconds and the burst size in packets. This type of the police command is only applicable to the control-plane policy. In addition to the inputpolicy, you can configure output policing as well and limit the rate of the packets produced by the routers control plane.

Hope this document is informative for you and i want to thank you for your time.

Related Information

Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted December 5, 2011 at 11:11 PM
Stats:
Comments:0 Avg. Rating:0
Views:885 Contributors:0
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 139
2 90
3 75
4 55
5 48
Rank Username Points
5