As per Cisco website definition:
Control Plane Policing (CoPP) is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance.
Here’s a sample configuration in applying Control Plane Policing (CoPP) in Cisco IOS Routers
Step1: Create necessary ACLs
a. Important services,e.g.NTP,SSH,SNMP
ip access-list extended SSH-ACLpermit tcp host 192.168.10.10 any eq 22permit tcp host 192.168.20.20 any eq 22deny tcp any any eq 22
ip access-list standard SNMP-ACLpermit 192.168.30.30permit 192.168.40.40
ip access-list standard NTP-ACLpermit 172.16.18.2permit 172.16.18.3
b.ICMP
ip access-list extended ICMP-ACLpermit icmp any any echo
permit icmp any any echo-replypermit icmp any any ttl-exceededpermit icmp any any port-unreachable
c. IGP
ip access-list extended IGP-ACLpermit ospf any anypermit tcp 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255 eq bgppermit tcp 192.168.3.0 0.0.0.255 eq bgp 192.168.3.0 0.0.0.255
d. Those harmful services or traffic
ip access-list extended HARMFUL-ACLpermit tcp any any fragmentspermit udp any any fragmentspermit icmp any any fragmentspermit ip any any fragmentspermit udp any any range netbios-ns netbios-sspermit tcp any any eq 445permit udp any any eq 445
permit udp any any eq 1434permit tcp any any range 137 139
e. All traffic
ip access-list extended ALL-ACLpermit pim any anypermit igmp any anypermit icmp any anypermit gre any anypermit tcp any anypermit udp any anypermit ip any any
Step2: Configure Class Map
class-map match-any CoPP-SSH-SNMP-NTPmatch access-group name SSH-ACLmatch access-group name SNMP-ACLmatch access-group name NTP-ACL
class-map match-all CoPP-ICMPmatch access-group name ICMP-ACL
class-map match-all CoPP-IGPmatch access-group name IGP-ACL
class-map match-all CoPP-HARMFULmatch access-group name HARMFUL-ACL
class-map match-all CoPP-ALLmatch access-group name ALL-ACL
Step3:Configure Policy Map (conform and exceed-action can be transmit or drop)
police [Target Bit Rate] [burst bytes] [burst bytes] [burst bytes] [conform-action] [transmit/drop] [exceed-action] [transmit/drop]
police [cir] [Target Bit Rate] [conform burst] [burst bytes] [excess burst] [burst bytes] [conform-action] [transmit/drop] [exceed-action] [transmit/drop]
Assumption: 5% excess burst
policy-map CoPPclass CoPP-SSH-SNMP-NTPpolice 200000 10000 10000 conform-action transmit exceed-action transmitclass CoPP-ICMPpolice 200000 10000 10000 conform-action transmit exceed-action transmitclass CoPP-IGPpolice 500000 25000 25000 conform-action transmit exceed-action transmitclass CoPP-HARMFULpolice cir 40000 bc 2000 be 2000 conform-action transmit exceed-action dropclass CoPP-ALLpolice 300000 15000 15000 conform-action transmit exceed-action transmit
For CoPP Best Practices,you can refer to this official Cisco documentation –> Cisco CoPP Best Practices
Be First to Comment