Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
5
Helpful
1
Replies

Copp and management traffic

Go to solution
Matthew burnley
Level 1
Level 1

‎09-08-2014 05:04 AM - edited ‎03-05-2019 06:53 AM

Good afternoon fellow Ciscorians.

 

I have configured a Copp to rate limit ICMP traffic and fragmented traffic from saturating the RP via the control-plane and also ignore the same traffic class from our trusted IP addresses.  But i am wondering about management traffic such as telnet and SSH, we have an access list on the VTY lines dropping traffic from un-trusted sources on 22+23, i am wondering what the benefits are to employing a Copp policy as well as the access-list on the VTY lines?

 

Could an attack still saturate the RP with an access-list dropping the un-trusted traffic on the VTY lines?  (6509-Sup720)

 

Matthew.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akash Agrawal
Cisco Employee
Cisco Employee

‎09-08-2014 07:18 AM

Hi Matthew,

 

access-list applied on interface is applicable for all traffic, data traffic (transit traffic) and control-plane traffic (destined to router or punted to RP), while CoPP is only applicable to traffic punted to RP.

 

Access list will either permit or drop but CoPP is service-policy and you can rate-limit the traffic. So if we take example of ICMP traffic, and requirement is we want to allow ICMP traffic to router (ICMP is useful tool to check reachability and latency) but not more than 500kbps (to avoid any DDOS attack), in this case blocking ICMP with ACL on interface will not solve the purpose but CoPP will do the job.

 

If you are blocking some traffic via ACL, it should not saturate the RP.

 

--Pls dont forget to rate helpful posts--

Regards,

Akash

View solution in original post

1 Reply 1

Go to solution
Akash Agrawal
Cisco Employee
Cisco Employee

‎09-08-2014 07:18 AM

Hi Matthew,

 

access-list applied on interface is applicable for all traffic, data traffic (transit traffic) and control-plane traffic (destined to router or punted to RP), while CoPP is only applicable to traffic punted to RP.

 

Access list will either permit or drop but CoPP is service-policy and you can rate-limit the traffic. So if we take example of ICMP traffic, and requirement is we want to allow ICMP traffic to router (ICMP is useful tool to check reachability and latency) but not more than 500kbps (to avoid any DDOS attack), in this case blocking ICMP with ACL on interface will not solve the purpose but CoPP will do the job.

 

If you are blocking some traffic via ACL, it should not saturate the RP.

 

--Pls dont forget to rate helpful posts--

Regards,

Akash

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card