Control Plane Functions
- Builds the routing and forwarding tables for the data planes
- Runs on the process level
- Shares the main CPU with the slow data path processes and management processes
- By default, also shares the path (queue) to the main CPU
Threats,
- Slow path denial-of-service attacks
- Routing protocol spoofing
CoPP,
- permits or denies access to the control plane
- rate-limits access to the control plane
- Configured as a service policy on a virtual control plane interface
1) ACLs to identify the traffic flows seen by the control plane
ip access-listed extended ICMP-CoPP permit icmp any any echo-reply permit icmp any any echo ip access-listed extended IPSec-CoPP permit udp any eq isakmp any eq isakmp permit esp any any permit gre any any ip access-listed extended Mgmt-CoPP permit tcp any any eq www permit tcp any any eq 443 permit tcp any any eq telnet permit tcp any any eq 22 permit udp any any eq snmp ip access-listed extended Routing-CoPP permit tcp any eq bgp any established permit eigrp any host 224.0.0.10 permit ospf any host 224.0.0.5 permit ospf any host 224.0.0.6
2) Match the ACLs to class maps
class-map match-all ICMP-CoPP-MAP match access-group name ICMP-CoPP class-map match-all IPSec-CoPP-MAP match access-group name IPSec-CoPP class-map match-all Mgmt-CoPP-MAP match access-group name Mgmt-CoPP class-map match-all Routing-CoPP-MAP match access-group name Routing-CoPP
3) Define a policy map to police traffic classes
policy-map CoPP-POLICY class ICMP-CoPP-MAP police 8000 confirm-action transmit exceed-action drop class IPSec-CoPP-MAP police 64000 confirm-action transmit exceed-action drop class Mgmt-CoPP-MAP police 64000 confirm-action transmit exceed-action drop class Routing-CoPP-MAP police 128000 confirm-action transmit exceed-action drop class class-default police 8000 confirm-action transmit exceed-action drop
4) Apply the policy map to control plane as a service policy
control-plane service-policy input CoPP-POLICY
CoPP Verification
show policy-map control-plane
Made with Bullet