Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Control Plane Policing (CoPP) for Data Center

Hi All,

I am planning to apply CoPP on different routers and switches of Data Center. This Data Center comprises of Cisco 6513 (VSS), Catalyst 3750, Cisco 3845 and Cisco 2811.

My question are:

1. Do we have to apply CoPP on Catalyst 3750, as these are DMZ switches only?

2. How to find the packet processing rate from router and switches?

3. Any best practices CoPP template for routers running OSPF and BGP?

Thanks and Regards,
Ahmed.

Everyone's tags (2)
7 REPLIES
Cisco Employee

Re: Control Plane Policing (CoPP) for Data Center

1. You would need to apply CoPP to all routers/switches that are manageable from untrusted sites. So even if you have non-DMZ switches that will be able to be telneted to from the outside for example, CoPPing them would be helpful for you.

2. "sh proc cpu" would give you some insight for processes like ssh or telnet and how much the take. Not control packet rate processing though.

3. Depends on how powerful the router is, how many commands you are running, how much route processing is going on.

I hope it helps.

PK

New Member

Re: Control Plane Policing (CoPP) for Data Center

Thanks for your response.

1. You would need to apply CoPP to all routers/switches that are  manageable from untrusted sites. So even if you have non-DMZ switches  that will be able to be telneted to from the outside for example,  CoPPing them would be helpful for you.

Do we not need to apply CoPP on switches and routers that are not telneted from outside?

2. "sh proc cpu" would give you some  insight for processes like ssh or telnet and how much the take. Not  control packet rate processing though.

I want to know the maximum packet processing rate of a router or switch?

3. Depends on how powerful the  router is, how many commands you are running, how much route processing  is going on.

Best practice for a router running OSPF with 200 routes?

Thanks and Regards,
Shahzad.

Cisco Employee

Re: Control Plane Policing (CoPP) for Data Center

1. You would need to apply CoPP to all routers/switches that are  manageable from untrusted sites. So even if you have non-DMZ switches  that will be able to be telneted to from the outside for example,  CoPPing them would be helpful for you.

Do we not need to apply CoPP on switches and routers that are not telneted from outside?

Control plan traffic is traffic that goes to the control plane of the router like management traffic, snmp etc. If there is a firewall securing you from the outside I would feel my switches are more secure and it is not easy to bring them to their knees with an attacker doing too much from the outside. Control plane policing applies to all control plane traffic, but it is mostly against outsiders that someone would try to protect himself.

2. "sh proc cpu" would give you some  insight for processes like ssh or telnet and how much the take. Not  control packet rate processing though.

I want to know the maximum packet processing rate of a router or switch?

I don't think you will be able to pull that number.

3. Depends on how powerful the  router is, how many commands you are running, how much route processing  is going on.

Best practice for a router running OSPF with 200 routes?

Don't know of any.

PK

New Member

Re: Control Plane Policing (CoPP) for Data Center

Hi PK,

Thanks for your response.

I have found a document which could brief us the router performance matrix including process switching and fast switching (PPS and Mbps), and I would like to share:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

Secondly I would like to apply CoPP on the core switch (Catalyst 6513 - VSS) which is behind the firewall, but I am wondering that at any point of time my internal server can also generate some attack on it, so would like to apply CoPP on it.

Also I found a best practice document for Control plane policy, which I also like to share:

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

Thanks and Regards,
Ahmed.

New Member

Re: Control Plane Policing (CoPP) for Data Center

Hi Experts,

I am reading the CoPP best practice document (http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html), and confuse with the given below ACLs statements:

access-list 121 permit tcp   eq 22
access-list 121 permit tcp eq 22 established

I am thinking that second statement should be like:

access-list 121 permit tcp  eq 22  established

Thanks and Regards,
Ahmed Shahzad.

Cisco Employee

Re: Control Plane Policing (CoPP) for Data Center

access-list 121 permit tcp   eq 22
access-list 121 permit tcp eq 22 established

is correct.

The first line matches packets that are from your NOC ip addresses to the router on port 22 for management.

The second is for return traffic (establish keyword) that was sourced from your router destined to NOC for port 22, probably NOC management from the router side.

I hope it makes sense.

PK

New Member

Re: Control Plane Policing (CoPP) for Data Center

Hi PK,

access-list 121 permit tcp   eq 22
access-list 121 permit tcp eq 22 established

First line of this ACL is very cleared to me, but I am concerned about the second line. It says Source is NOC block and sourcing from port 22 and destined to Router Receive block and established connections?

I belive it should be like:

access-list 121 permit tcp 22 established

Thanks and Regards,

Ahmed Shahzad.

2909
Views
10
Helpful
7
Replies