CoPP - CPPr

NFP - NETWORK FUNDATION PROTECTION

Control Plane Policing
Control Plane Protection
 Concepto Planos de operación
◦ Planos: Management, Control, Datos y Servicios (GRE/QoS/IPsec)
◦ Interface Virtual Control Plane
◦ CPPr (Subinterfaces Virtuales: host, transit, cef-exception

 Implementación política CoPP

◦ Configurar
• Permitir todos los paquetes
◦ Aplicar
• Dropear todos los paquetes
◦ Verificar • Dropear los paquetes que exceden “rate limit”
◦ Tunear

 Implementación política CPPr

◦ Port-Filter (puertos cerrados)
◦ Queue-Threshold (limitación por protocolo)

Agenda
Cisco Network Foundation Protection (NFP)
Planos de los dispositivos de red

SLOW PATH
ROUTE PROCESSOR

“punt”

FAST PATH
CEF
Planos de Control y Datos
 CoPP – Control Plane Policing

MQC
(Cisco IOS Modular QoS CLI)
• Class-map
• Policy-map
• Service-policy

En realidad, CoPP aplica a los planos de control y Mgmt.

CoPP – Control Plane Policing

CPPr subdivide la interface

virtual control-plane en 3
CoPP considera a la CPU subinterfaces virtuales
como una interface virtual
R(config-)#control-plane
R(config-)#control-plane [host |
Transit |
Cef-exception]
 Política CoPP

1. Configurar la política CoPP

a) ACL
b) Class-map
c) Policy-map

2. Aplicar la política CoPP

3. Verificar la política CoPP

4. Tunear la política CoPP

 Política CoPP – 1a: ACL

Routing: BGP (TCP/179), OSPF, y EIGRP. LDP (TCP/646) and MSDP (TCP/639) may also be required
(implementation specific). (IS-IS cannot be classified, however, as it is not an IP protocol).

Management: SSH (TCP/22), HTTP/HTTPS (TCP/80 y TCP/443), TFTP (UDP/69), SNMP

(UDP/161), NTP (UDP/123), DNS (UDP/53), etc.

Normal: Todo otro tráfico menos esencial que podría ser conveniente limitar (rate-limit): ICMP (Time-
Exceeded, Echo-Request, Echo-Reply, Packet-too-big, Port-unreachable, etc). Tráfico GRE, IPsec, etc.

No deseado: Tráfico explícitamente pernicioso y/o malicioso: IP fragments (no deben aparecer nunca en
el plano de control), algunos segmentos TCP RESET, y otros ataques reconocidos, como SQL-Slammer.

Catch-All-IP: La clase que recoge todo el trafico remanente, destinado al RP, que no ha tenido match en
las otras clases. Evita que este tráfico termine en la clase class-default (ya veremos la razón)

• No significa inspección
• No utilizar “log” ni “log-input” en las ACLs utilizadas con MQC para CoPP
• Tener presente el uso deny/permit:
deny  no match continúa
permit  match  sale
 Política CoPP – 1a: ACL (routing)

Routing – ACL 120

!-- ACL para class-map CoPP Routing

!
access-list 120 permit tcp any gt 1024 <ROUTER_IP_ADDR> eq bgp
access-list 120 permit tcp any eq bgp <ROUTER_IP_ADDR> gt 1024 established
access-list 120 permit tcp any gt 1024 <ROUTER_IP_ADDR> eq 639
access-list 120 permit tcp any eq 639 <ROUTER_IP_ADDR> gt 1024 established
access-list 120 permit tcp any <ROUTER_IP_ADDR> eq 646
access-list 120 permit udp any <ROUTER_IP_ADDR> eq 646
access-list 120 permit ospf any <ROUTER_IP_ADDR>
access-list 120 permit ospf any host 224.0.0.5
access-list 120 permit ospf any host 224.0.0.6
access-list 120 permit eigrp any <ROUTER_IP_ADDR>
access-list 120 permit eigrp any host 224.0.0.10
access-list 120 permit udp any any eq pim-auto-rp
---etc--- para otros protocolos de enrutamiento permitidos...
!
 Política CoPP – 1a: ACL (mgmt)

Management – ACL 121

! – ACL para class-map CoPP Management

!
access-list 121 permit tcp <NOC block> <ROUTER_IP_ADDR> eq telnet
access-list 121 permit tcp <NOC block> eq telnet <ROUTER_IP_ADDR> established
access-list 121 permit tcp <NOC block> <ROUTER_IP_ADDR> eq 22
access-list 121 permit tcp <NOC block> eq 22 <ROUTER_IP_ADDR> established
access-list 121 permit udp <NOC block> <ROUTER_IP_ADDR> eq snmp
access-list 121 permit tcp <NOC block> <ROUTER_IP_ADDR> eq www
access-list 121 permit udp <NOC block> <ROUTER_IP_ADDR> eq 443
access-list 121 permit tcp <NOC block> <ROUTER_IP_ADDR> eq ftp
access-list 121 permit tcp <NOC block> <ROUTER_IP_ADDR> eq ftp-data
access-list 121 permit udp <NOC block> <ROUTER_IP_ADDR> eq syslog
access-list 121 permit udp <DNS block> eq domain <ROUTER_IP_ADDR>
access-list 121 permit udp <NTP block> <ROUTER_IP_ADDR> eq ntp
---etc--- para tráfico de gestión conocido...
!
 Política CoPP – 1a: ACL (normal)

Normal – ACL 122

!-- ACL para class-map CoPP Normal

!
access-list 122 permit icmp any <ROUTER_IP_ADDR> echo
access-list 122 permit icmp any <ROUTER_IP_ADDR> echo-reply
access-list 122 permit icmp any <ROUTER_IP_ADDR> ttl-exceeded
access-list 122 permit icmp any <ROUTER_IP_ADDR> packet-too-big
access-list 122 permit icmp any <ROUTER_IP_ADDR> port-unreachable
access-list 122 permit icmp any <ROUTER_IP_ADDR> unreachable
access-list 122 permit pim any any
access-list 122 permit igmp any any
access-list 122 permit gre any any
---etc--- todo otro tráfico bueno conocido...
!
 Política CoPP – 1a: ACL (Indeseable)

Indeseable – ACL 123

! -- ACL para class-map CoPP Indeseable

!
access-list 123 permit icmp any any fragments
access-list 123 permit udp any any fragments
access-list 123 permit tcp any any fragments
access-list 123 permit ip any any fragments
access-list 123 permit udp any any eq 1434
access-list 123 permit tcp any any eq 639 rst
access-list 123 permit tcp any any eq bgp rst
--- etc. todo otro tráfico malo conocido–
!
 Política CoPP – 1a: ACL (Catch-ALL IP)

Catch-ALL IP– ACL 124

! -- ACL para class-map CoPP Catch-ALL

!
access-list 124 permit tcp any any
access-list 124 permit udp any any
access-list 124 permit icmp any any
access-list 124 permit ip any any
!
 Política CoPP – 1b: Class-Map (sintaxis)

En la MQC, class-map define el nombre de la clase. Incluye una o más cláusulas match para indicar los
mecanismos de clasificación utilizados para incluir tráfico dentro de la clase:

• match access-group = ACL (std, ext, numeradas o nombradas). Algunas versiones no admiten nombres.
• match ip dscp / match ip precedence = campo TOS/DSCP
• match protocol arp = tráfico ARP

SINTAXIS
R (config)# class-map [match-any | match-all] class-name
R (config-cmap)# match [access-group | protocol | ip prec | ip dscp]
 Política CoPP – 1b: Class-Map (config)

R (config)# class-map [match-any | match-all] class-name

R (config-cmap)# match [access-group | protocol | ip prec | ip dscp]
!
! – CoPP Routing class-map
class-map match-all ROUTING_CM
match access-group 120
!
! – CoPP Management class-map
class-map match-all MGMT_CM
match access-group 121
!
! – CoPP Normal class-map
class-map match-all NORMAL_CM
match access-group 122
!
! ! – CoPP Undesirable class-map
class-map match-all INDESEABLE_CM
match access-group 123
!
! – CoPP Catch-All-IP class-map
class-map match-all CATCHALLIP_CM
match access-group 124
 Política CoPP – 1c: Policy-Map (sintaxis)

En la MQC, policy-map define el nombre de una política de servicio. Incluye una o más cláusulas class para
especificar el nombre de las clases definidas, y las acciones de tráfico aplicables a cada una:

• police = define la política de tráfico

SINTAXIS
R (config)# policy-map <nombre de la política>
R (config-pmap)# class <nombre de la clase>
R (config-pmap-c)# police [cir | rate ] conform-action [transmit | drop] exceed-action [transmit | drop]
………………………………………………… ……………………………….
…………………………………………..class class-default

Se recorren todas las clases de la política hasta encontrar un match, y sale. Todo tráfico que no satisface
ninguna clase es parte de la class-default.

R(config-pmap-c)# police <bps> <burst-normal> <burst-max> conform-action [transmit | drop]

exceed-action [transmit | drop]
 Política CoPP – 1c: Policy-Map (sintaxis)
policy-map CoPP
class ONE
police 10000 1500 1500 conform-action transmit exceed-action transmit
class TWO Variaciones según
police 10000 1500 1500 conform-action transmit exceed-action transmit
class THREE la versión IOS
police 10000 1500 1500 conform-action transmit exceed-action drop
!
policy-map CoPP
class ONE
class TWO
class THREE
police 10000 1500 1500 conform-action transmit exceed-action drop
!
policy-map CoPP
class ONE
police 10000 1500 1500 conform-action drop exceed-action drop
class TWO
police 10000 1500 1500 conform-action transmit exceed-action drop
!
policy-map CoPP
class ONE
drop
class TWO
police 10000 1500 1500 conform-action transmit exceed-action drop
 Política CoPP – 1c: Policy-Map (config)

R (config)# policy-map COPP_PM

R (config-pmap)# class <nombre de la clase>
R (config-pmap-c)# police [cir | rate ] conform-action [transmit | drop] exceed-
action [transmit | drop]

!
policy-map COPP_PM
class INDESEABLE_CM
police 8000 1500 1500 conform-action drop exceed-action drop
class ROUTING_CM
police 1000000 50000 50000 conform-action transmitexceed-action transmit
class MGMT_CM
police 100000 20000 20000 conform-action transmit exceed-action drop
class NORMAL_CM
police 50000 5000 5000 conform-action transmit exceed-action drop
class CATCHALLIP_CM
police 50000 5000 5000 conform-action transmit exceed-action drop
class class-default
police 8000 1500 1500 conform-action transmit exceed-action transmit
!
 Política CoPP – 2: Aplicación Policy-Map

R(config)# control-plane
R(config-control-plane)# service-policy input COPP_PM
 Política CoPP – 3: Verificación Policy-Map

COMANDOS SHOW - DEBUG

R#show running-config

R#show access-list

R#show class-map

R#show policy-map

R#show policy-map control-plane

R#debug control-plane ?
all All events on all control-plane interfaces
host All events on control-plane host interface
log Control-plane packet logging events
management-interface management-interface events
port-filtering TCP/IP Port filtering events
queue-thresholding TCP/IP protocol queue-thresholding events
<cr>
 Política CoPP – 3: Verificación Policy-Map

COMANDOS SHOW
R#sho running-config ip access-list extended CATCHALLIP_ACL
class-map match-all ROUTING_CM ip access-list extended INDESEABLE_ACL
match access-group name ROUTING_ACL ip access-list extended MGMT_ACL
class-map match-all MGMT_CM ip access-list extended NORMAL_ACL
match access-group name MGMT_ACL ip access-list extended ROUTING_ACL
class-map match-all NORMAL_CM !
match access-group name NORMAL_ACL control-plane host
class-map match-all INDESEABLE_CM !
match access-group name INDESEABLE_ACL control-plane
class-map match-all CATCHALLIP_CM service-policy input COPP_PM
match access-group name MATCHALLIP_ACL
!
policy-map COPP_PM
class INDESEABLE_CM
police 8000 1000 1000 conform-action drop exceed-action drop violate-action drop
class ROUTING_CM
police 8000 1000 2000 conform-action transmit exceed-action transmit violate action transmit
class MGMT_CM
police 8000 1000 2000 conform-action transmit exceed-action drop violate-action drop
class NORMAL_CM
police 8000 1000 2000 conform-action transmit exceed-action drop violate-action drop
class CATCHALLIP_CM
police 8000 1000 2000 conform-action transmit exceed-action drop violate-action drop
class class-default
police 8000 1000 2000 conform-action transmit exceed-action transmit violate-action transmit
 Política CoPP – 4: Tuning Policy-Map

ACLs
Verificar los hits!

CLASS-MAPs
Agrupar el tráfico de manera que pueda visualizarse el impacto de cada uno, si es necesario “abrir” en clases.
# show policy-map control-plane
Class-map: MGMT_CM (match-all)
29 packets, 2610 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name MGMT_ACL
police:
cir 8000 bps, bc 1000 bytes, be 2000 bytes
conformed 29 packets, 2610 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps

POLICY-MAPs
Al prinicipio pueden configurarse todas las acciones como transmit (en lugar de drop) para verificar el impacto de
cada límite.
 Funcionamiento del policing

R(config-pmap-c)# police <bps> <burst-normal> <burst-max> conform-

action [transmit | drop] exceed-action [transmit | drop]
burst-normal burst-max
 2 4
Burst Burst
Tokens Exceso
# Norma Exceso Max Acción
/PDU Comp
l
0 1 2 0 0 4 0
1 1 1 0 0 4 Tx
2 1 0 0 0 4 Tx
3 1 0 1 1 3 Tx
4 1 0 2 3 0 Tx
5 1 0 3/2 6/0 0/4 Drop
6 1 0 3 3 1 TX
7 1 0 4/3 7/0 0/4 Drop
8 1 0 4 4 0 Tx
R(config-pmap-c)# police 1 2 4 conform-action transmit exceed-action drop
Policing = ejemplos
 CPPr – Control Plane Protection

Release Modification
Características de Control Plane Protection
• CCPr requiere CEF. CoPP puede trabajar sin CEF. 12.4(4)T CPPr
• Sólo para trayectos entrantes IPv4
• No soporta co configuración directa de ACLs (sólo a través de CM/PM/SP) Modular QoS CLI (MQC)
• La funciones PORT-FILTER y QUEUE THRESHOLDING sólo soportan protocolos basados en TCP/IP.
• No funciona en plataformas distribuidas ni switching
• Son enviados a la subinterface CEF-EXCEPTION: Paquetes IP con opciones y con TTL<=1.
• Algunos servicios pueden no ser detectados automáticamente por el PORT.FILTER (es decir que no
aparecen listados en la salida del comando: “show control-plane host open ports”. Si es así se deben
agregar manualmente en la class-map port-filter activa para que sean desbloqueados.
• No existen restricciones sobre las políticas de policing del control-plane agregado (CoPP). Sólo que las
nuevas políticas configuradas en la subinterface host no procesan el tráfico ARP, el cual es enviado al Cef-
exception y agreggate.

• A#show control-plane host open-ports

Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
udp *:123 *:0 NTP LISTEN
udp *:4500 *:0 ISAKMP LISTEN
udp *:500 *:0 ISAKMP LISTEN
 CPPr – Política Port Filter

class-map type port-filter [match-all | match-any] PF_CM

match
closed-ports All the closed ports on the router
not Negate this match result
port TCP/UDP port number

policy-map type port-filter PF_PM

class PF_CM
drop Drop Control Plane traffic
exit Exit from class action configuration mode
log Log IPv4 and ARP packets
no Negate or set default values of a command

control-plane [host | transit | cef-exception]]

service-policy type port-filter {input} PF_PM
 CPPr – Política Queue Threshold

class-map type queue-threshold [match-all | match-any] QT_CM

Match protocol ?
host-protocols A(config-cmap)#MATCH PRotocol ?
not [ protocol | host-protocols] bgp Border Gateway Protocol
dns Domain Name Server lookup
ftp File Transfer Protocol
policy-map type queue-threshold QT_PM http World Wide Web traffic
class QT_CM igmp Internet Group Management Protocol
queue-limit <paquetes> snmp Simple Network Management Protocol
log ssh Secure Shell Protocol
syslog Syslog Server
telnet Telnet
tftp Trivial File Transfer Protocol

control-plane [host | transit | cef-exception]

service-policy type queue-threshold {input} QT_PM host-protocols— Es un comodín para todos los
puertos de protocolos TCP/UDP abiertos en el
router, no específicamente matched y/o
configurados.
 CPPr – Verificación de Políticas

R#show control-plane host features

Control plane host path features :
--------------------------------------------------------
Control-plane Policing activated Jan 16 2018 17:2
TCP/UDP Portfilter activated Jan 16 2018 18:3
Protocol Queue Thresholding activated Jan 16 2018 19:0
--------------------------------------------------------
R# show policy-map control-plane [host]
R# show policy-map type queue-threshold control-plane [host]
R# show policy-map type queue-threshold control-plane [host]
 CPPr – Control Plane Protection

MQC
(Cisco IOS Modular QoS CLI)
• Class-map
• Policy-map
• Service-policy
CPPr – Control Plane Policing

MQC
(Modular QoS CLI)
• Class-map
• Policy-map
• Service-policy