Pages

Monday, 1 March 2021

Control Plane Policing (CoPP)

Overview of Control Plane Policing (CoPP)

CoPP is a QoS feature used in security that rate-limits the traffic handled by the route processor (RP). CoPP is a modular QoS CLI (MQC) policy to rate-limit, drop and granularly permit traffic to or from the RP. The RP handles traffic that is categorized into three planes:

  • Data plane
  • Management plane
  • Control plane

The control plane is a collection of processes that run at the process level on the route processor (RP). These processes collectively provide high-level control over most IOS functions. All packets destined for the control plane pass through the central switch engine before they are forwarded to the process level. The control-plane and central switch engine are part of the RP.

Majority of traffic managed by the RP is handled by way of the control and management planes. Such traffic includes:

  • Routing protocol updates (IGP, BGP)
  • Management traffic such as SNMP, SSH, Telnet, NTP, HTTP(S), etc.
  • Traffic destined for a local IP address of the switch/router i.e., the local router or switch is the destination of the traffic.

Control-plane Policing (CoPP) provides rate-limiting and filtering capabilites to control the number of packets that have to be processed by the RP of a router or switch. This helps in reducing the load on a router’s RP at any given point in time. It helps protect the RP from denial-of-service (DoS) attacks, and other flooding attacks, reconnaisance attacks.

When implementing CoPP, it is important to rate-limit traffic on all interfaces destined for the local router. A logical interface exists on all routers called the control plane interface. Rate-limiting packets on this interface applies the rate-limit to all the physical interfaces. Quality of Service (QoS) and policing on the control plane interface rate-limits packets entering any interface to protect the RP.

Configuring CoPP

To implement CoPP, the following sequence of steps should be followed:

  1. Categorize network traffic into classes using Access Control List (ACLs).
  2. Create a Class Map (CM) to identify traffic to be policed (rate-limited).
  3. Create a Policy Map (PM) to define the action to take on identified traffic by implementing a defined policy.
  4. Create a Service Policy which specifies where to apply the policy map

CoPP is hardware-accelerated if the command mls qos is applied.

Categorize Network Traffic using ACLs

Traffic to be rate-limited needs to first be identified and categorized into different classes based on importance, function or protocol type.

ACLs are used to identify and classify traffic to be rate-limited. These classes include:

  • BGP
  • IGP
  • Critical applications
  • File management
  • Interactive management
  • Monitoring
  • Default
A separate ACL should be configured for each of these traffic categories. Each ACL should permit all known protocols in its class. Traffic for the default class should be configured to permit any other type of traffic e.g permit ip any any.

Extended ACLs are usually used for classifying traffic as they can be configured to match the traffic port/protocol numbers.

During categorization of traffic, it is important to note that traffic for certain classes such as SNMP, (T)FTP, GRE, is originated from known sources. In such cases, the ACE entries in these ACLs should explicitly define the source IP address. If the ports for these traffic sources is known, then the ACEs should be configured to permit traffic from these specific port numbers as well.

The different traffic categories include:

  • BGP: For maintaining BGP operations such as neighbor formation and maintenance, prefix exchange. BGP uses TCP port source port 179; when configuring ACE entries, the BGP port number or keyword bgp are valid high-level protocols for matching against.

    R1(config)#ip access-list extended ACL_COPP_BGP
    R1(config-ext-nacl)#remark BGP traffic
    R1(config-ext-nacl)#10 permit tcp any gt 1024 any eq bgp
    R1(config-ext-nacl)#20 permit tcp any gt 1024 any eq bgp established

  • IGP: traffic for formation and maintenance of IGP protocols such as EIGRP, OSPF, RIP. OSPF uses IP protocol number 89 and IPv4 multicast addresses 224.0.0.5 and 224.0.0.6 or IPv6 multicast address FF02::5 and FF02::6. EIGRP uses IP protocol number 88 and IPv4 multicast address 224.0.0.10 IPv6 multicast address FF02::A. The IP protocols can also be matched using the keywords eigrp or ospf.

    R1(config)#ip access-list extended ACL_COPP_IGP
    R1(config-ext-nacl)#10 permit ospf any host 224.0.0.5
    R1(config-ext-nacl)#20 permit ospf any host 224.0.0.6
    R1(config-ext-nacl)#30 permit ospf host 224.0.0.5 any
    R1(config-ext-nacl)#50 permit eigrp any host 224.0.0.10
    R1(config-ext-nacl)#60 permit eigrp host 224.0.0.10 any

  • Monitoring and Reporting: traffic for monitoring the switch or router such as ICMP, IP SLA.

    R1(config)#ip access-list extended ACL_COPP_MONITOR
    R1(config-ext-nacl)#10 permit icmp any any
    R1(config-ext-nacl)#10 permit icmp any any echo
    R1(config-ext-nacl)#20 permit icmp any any echo-reply
    R1(config-ext-nacl)#30 permit icmp any any unreachable
    R1(config-ext-nacl)#40 permit icmp any any port-unreachable

  • Interactive Management: traffic that is interactive in nature and is required for routine network operations such as SSH, Telnet, SNMP, NTP, TACACS. This type of traffic is usually low-volume.

    R1(config)#ip access-list extended ACL_COPP_INT_MGMT
    R1(config-ext-nacl)#remark Interactive file management
    R1(config-ext-nacl)#10 permit tcp host 10.20.2.1 host 10.1.10.1 eq 22
    R1(config-ext-nacl)#20 permit udp host 10.1.10.1 host 10.30.5.1 eq 161
    R1(config-ext-nacl)#30 permit udp host 10.1.10.1 host 10.30.5.1 eq 162
    R1(config-ext-nacl)#50 permit udp host 10.1.10.1 host 10.80.1.1 eq ntp

  • File Management: this type of traffic is used to transfer files. Protocols in this category include: TFTP, FTP. This type of traffic is usually high-volume.

    R1(config)#ip access-list ACL_COPP_FILE_MGMT
    R1(config-ext-nacl)#10 permit tcp any host 10.1.10.1 eq ftp
    R1(config-ext-nacl)#20 permit tcp host 10.1.10.1 eq ftp any
    R1(config-ext-nacl)#30 permit tcp any host 10.1.10.1 eq ftp-data established
    R1(config-ext-nacl)#40 permit tcp host 10.1.10.1 eq ftp-data any established

  • Critical applications: protocols in this category include GRE, HSRP, GLBP, DHCP, IPsec, VRRP, IGMP, multicast traffic.

    R1(config)#ip access-list extended ACL_COPP_CRITICAL_APPLICATIONS
    R1(config-ext-nacl)#remark Critical applications
    R1(config-ext-nacl)#10 permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc
    R1(config-ext-nacl)#20 permit udp host 10.10.1.20 eq bootps any eq bootps
    R1(config-ext-nacl)#30 permit ip any host 22.0.0.2

    bootpc and bootps are the keywords for DHCP.

  • Undesirable: malicious traffic that should not be allowed to be processed by the RP. Such traffic may be generated by malware. The port numbers, transport protocol used etc of malware can only be known if the malware has has been profiled .
  • Default: traffic that does not fit into any of the above categories. This traffic should be rate-limited until some specific types within this category can be classified and grouped into newer groups or classified under existing (above) listed groups.

Create Class Maps to Define Traffic Class

Class maps are used to define classes of the traffic to be rate-limited. A class map may reference an ACL, protocol, IP Prec or IP DSCP values in a packet.

A separate class-map should be created for each of the configured ACLs for each traffic category. Class-maps have a default class-map that deals with traffic that is not explicitly defined. A separate class-map should be explicitly configured for the default traffic ACL.

  1. Define the class map name: using the command class-map <match-any | match-all> <class-map-name>. The matching instruction is match-any or match-all
    • match-any: traffic must match only one of the commands to be classified as part of the traffic class.
    • match-all: traffic must match all the match commands to be part of the traffic class. Care must be taken with match-all keyword as the traffic will have to match all characteristics in all the match commands.
  2. Specify how the traffic will be matched: using the command match [access-group [<acl-number> | name <acl>] | protocol | ip prec | ip dscp]
    • Access-group: reference the previously configured access control list match statement. ACL names are case sensitive.
    • Protocol: You can match by protocol instead of ACL; for example to match ARP packets; match protocol arp
    • IP Prec | IP dscp: to match against an IP packet's Precedence or DSCP fields

R1(config)#class-map match-all CM_COPP_BGP
R1(config-cmap)#match access-group name ACL_COPP_BGP
R1(config)#class-map match-all CM_COPP_CRITICAL_APPLICATIONS
R1(config-cmap)#match access-group name ACL_COPP_CRITICAL_APPLICATIONS
R1(config-cmap)#exit
R1(config)#class-map match-all CM_COPP_FILE_MGMT
R1(config-cmap)#match access-group name ACL_COPP_FILE_MGMT
R1(config-cmap)#exit
R1(config)#class-map match-all CM_COPP_IGP
R1(config-cmap)#match access-group name ACL_COPP_IGP
R1(config-cmap)#class-map match-all CM_COPP_INT_MGMT
R1(config-cmap)#match access-group name ACL_COPP_MGMT
R1(config-cmap)#class-map match-all CM_COPP_MONITOR
R1(config-cmap)#match access-group name ACL_COPP_MONITOR
R1(config-cmap)#class-map match-all CM_COPP_DEFAULT
R1(config-cmap)#match access-group name ACL_COPP_DEFAULT

Verification

R1#show class-map
Class Map match-all CM_COPP_INT_MGMT (id 5)
   Match access-group name  ACL_COPP_MGMT
                              
Class Map match-any class-default (id 0)
   Match any                  
                              
Class Map match-all CM_COPP_FILE_MGMT (id 3)
   Match access-group name  ACL_COPP_FILE_MGMT
                              
Class Map match-all CM_COPP_DEFAULT (id 7)
   Match access-group name  ACL_COPP_DEFAULT
                              
Class Map match-all CM_COPP_MONITOR (id 6)
   Match access-group name  ACL_COPP_MONITOR
                              
Class Map match-all CM_COPP_BGP (id 1)
   Match access-group name  ACL_COPP_BGP
                              
Class Map match-all CM_COPP_IGP (id 4)
   Match access-group name  ACL_COPP_IGP
                              
Class Map match-all CM_COPP_CRITICAL_APPLICATIONS (id 2)
   Match access-group name  ACL_COPP_CRITICAL_APPLICATIONS

Create Policy Maps to Define a Service Policy

Policy maps are used to define the rate-limit parameters of the classified traffic. Policy maps are used to associate the traffic class (defined with a class map) with one or more policies resulting in a service policy. To configure a policy map:

  1. Define the policy map name: using the command policy-map <service-policy-name>
  2. Reference a configured class map: using the command class <traffic-class-name>
  3. Define the rate-limit threshold and action: at which traffic will be rate-limited, and action to take for conformal traffic, and rate-limit violation using the command police <cir | rate> conform-action <transmit | drop> exceed-action <transmit | drop> violate-action <transmit | drop>

Each class-map should be associated with a policy map that permits all traffic. The policy for each class should be set as conform-action transmit exceed-action transmit.

Some control-plane policing rates along with recommended actions:

Class Rate(pps) Rate(bps) Conform action Exceed action
BGP 500 4000000 Transmit Drop
IGP 50 300000 Transmit Drop
Monitoring and reporting 125 900000 Transmit Drop
Interactive management 100 500000 Transmit Drop
File management 500 6000000 Transmit Drop
Critical applications 125 900000 Transmit Drop
Undesirable 100 0 Drop Drop
Default 100 1000000 Transmit Drop

R1(config)#policy-map PM_COPP
R1(config-pmap)#class CM_COPP_BGP
R1(config-pmap-c-police)#police cir 4000000 bc 4000000 be 4000000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_IGP
R1(config-pmap-c)#police cir 300000 bc 60000 be 60000 c conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_CRITICAL_APPLICATIONS
R1(config-pmap-c)#cir 900000 bc 180000 be 180000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_MONITOR
R1(config-pmap-c)#police cir 900000 bc 180000 be 180000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_FILE_MGMT
R1(config-pmap-c)#police cir 6000000 bc 1200000 be 1200000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_INT_MGMT
R1(config-pmap-c)#police cir 500000 bc 100000 be 100000 conform-action transmit exceed-action drop

Verification

R1#show policy-map
  Policy Map PM_COPP
    Class CM_COPP_IGP
     police cir 300000 bc 60000 be 60000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_INT_MGMT
     police cir 500000 bc 100000 be 100000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_BGP
     police cir 4000000 bc 800000 be 800000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_FILE_MGMT
     police cir 6000000 bc 1200000 be 1200000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_CRITICAL_APPLICATIONS
     police cir 900000 bc 180000 be 180000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_MONITOR
     police cir 90000 bc 18000 be 10800
       conform-action transmit
       exceed-action drop
       violate-action drop
R1#

The policy map configuration will protect a device's RP from being overwhelmed by control-plane traffic. For illustrative purposes, the following CIR rate for ICMP traffic will be made artificially low.

R1#show policy-map
  Policy Map PM_COPP
  !Output omitted for brevity
    Class CM_COPP_MONITOR
     police cir 90000 bc 18000 be 10800
       conform-action transmit
       exceed-action drop
       violate-action drop

R1#

Apply the Policy Map

A policy map can be applied to a single interface or all interfaces. Depending on your security model, you may wish to apply different policy-maps with different rates to all interfaces and other policies to specific interfaces for instance, the interface pointing to the Internet may have a more restrictive policing than that connected to the internal network.

Apply policy map to all interfaces

A router has a single control-plane interface. To apply the policy-map to all interfaces, enter the control-plane configuration mode and apply the policy-map;

R1(config)#control-plane
R1(config-cp)#service-policy input PM_COPP

The input keyword enforces the policy on ingress traffic.

Apply the policy-map to a single interface

To apply the policy-map to a single interface, enter the specific interface and configure the policy map using the service-policy interface command;

R1(config)#interface g0/0
R1(config-if)#service-policy input PM_COPP

Test and Verify Configuration

On a second device (another router or host device such as PC), you can test the control-plane policing by pinging.

R1#show policy-map control-plane
Control Plane
              
  Service-policy input: PM_COPP
              
    Class-map: CM_COPP_IGP (match-all)
      18 packets, 2312 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_IGP
      police:
          cir 300000 bps, bc 60000 bytes, be 60000 bytes
        conformed 18 packets, 2312 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
              
    Class-map: CM_COPP_INT_MGMT (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_MGMT
      police:
          cir 500000 bps, bc 100000 bytes, be 100000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
              
    Class-map: CM_COPP_BGP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_BGP
      police:
          cir 4000000 bps, bc 800000 bytes, be 800000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
              
    Class-map: CM_COPP_FILE_MGMT (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_FILE_MGMT
      police:
          cir 6000000 bps, bc 1200000 bytes, be 1200000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
              
    Class-map: CM_COPP_CRITICAL_APPLICATIONS (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_CRITICAL_APPLICATIONS
      police:
          cir 900000 bps, bc 180000 bytes, be 180000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
              
    Class-map: CM_COPP_MONITOR (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_MONITOR
      police:
          cir 90000 bps, bc 18000 bytes, be 10800 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
              
    Class-map: class-default (match-any)
      56 packets, 6556 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any
              
R1#show policy-map
  Policy Map PM_COPP
    Class CM_COPP_IGP
     police cir 300000 bc 60000 be 60000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_INT_MGMT
     police cir 500000 bc 100000 be 100000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_BGP
     police cir 4000000 bc 800000 be 800000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_FILE_MGMT
     police cir 6000000 bc 1200000 be 1200000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_CRITICAL_APPLICATIONS
     police cir 900000 bc 180000 be 180000
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class CM_COPP_MONITOR
     police cir 90000 bc 18000 be 10800
       conform-action transmit
       exceed-action drop
       violate-action drop
              

Pinging from another Host

R2#ping 30.255.1.1 repeat 500 size 1500
Type escape sequence to abort.
Sending 500, 1500-byte ICMP Echos to 30.255.1.1, timeout is 2 seconds:
!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.
!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!
.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!
!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!
!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!
!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!
!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!
!!!!!!.!!!
Success rate is 93 percent (465/500), round-trip min/avg/max = 1/17/48 ms

CoPP rate-limiting can be observed to have taken effect.

R1#show policy-map control-plane
Control Plane  
                
  Service-policy input: PM_COPP
                
    Class-map: CM_COPP_IGP (match-all)
      40 packets, 4380 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_IGP
      police:    
          cir 300000 bps, bc 60000 bytes, be 60000 bytes
        conformed 40 packets, 4380 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop  
        violated 0 packets, 0 bytes; actions:
          drop  
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
                
    Class-map: CM_COPP_INT_MGMT (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_MGMT
      police:    
          cir 500000 bps, bc 100000 bytes, be 100000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop  
        violated 0 packets, 0 bytes; actions:
          drop  
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
                
    Class-map: CM_COPP_BGP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_BGP
      police:    
          cir 4000000 bps, bc 800000 bytes, be 800000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop  
        violated 0 packets, 0 bytes; actions:
          drop  
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
                
    Class-map: CM_COPP_FILE_MGMT (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_FILE_MGMT
      police:    
          cir 6000000 bps, bc 1200000 bytes, be 1200000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop  
        violated 0 packets, 0 bytes; actions:
          drop  
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
                
    Class-map: CM_COPP_CRITICAL_APPLICATIONS (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_CRITICAL_APPLICATIONS
      police:    
          cir 900000 bps, bc 180000 bytes, be 180000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop  
        violated 0 packets, 0 bytes; actions:
          drop  
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
                
    Class-map: CM_COPP_MONITOR (match-all)
      500 packets, 757000 bytes
      5 minute offered rate 11000 bps, drop rate 0000 bps
      Match: access-group name ACL_COPP_MONITOR
      police:    
          cir 90000 bps, bc 18000 bytes, be 10800 bytes
        conformed 465 packets, 704010 bytes; actions:
          transmit
        exceeded 35 packets, 52990 bytes; actions:
          drop  
        violated 0 packets, 0 bytes; actions:
          drop  
        conformed 10000 bps, exceeded 0000 bps, violated 0000 bps
                
    Class-map: class-default (match-any)
      135 packets, 13264 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any
R1#

Troubleshooting Control-Plane Policing

Troubleshooting control plane policing requires troubleshooting of the various components of CoPP i.e., access control lists, class maps, policy maps and service policies. When troubleshooting CoPP, consider;

ACLs

When troubleshooting ACLs for CoPP, focus on the following;

  • Verify correct source and destination addresses, protocols, port number, action (permit | deny): show access-list
  • Grouping: if grouping traffic types, ensure that they are grouped based on function; e.g. routing protocols (BGP, OSPF, EIGRP), management protocols (SSH, TELNET, HTTP(S), TFTP, SNMP, DNS, NTP).
  • Action: with CoPP, a permit action in an ACL means match the traffic and apply the policy. Deny means exclude the traffic from the class and move on to the next class.
  • Protocol: If the wrong protocol is specified in the ACL, the wrong type of traffic will be matched.
  • Source and destination: the correct source and destination ACLs should be applied. During troubleshooting, change IP address to any to see the effect.
  • Operators and Ports: Ensure correct ACL operator and port numbers are defined.
  • Avoid log and log-input ACL keywords for CoPP due to unexpected results in CoPP functionality.

Class Maps

  • Watch-out for the match-all and match-any commands.
  • Verify that the class-map is configured correctly show class-map. Verify correct instructions (match-any, match-all), correct ACL, protocol,IP prec, DSCP.

Policy Maps

When troubleshooting policy maps, consider;

  • Verify that the service policy is applied in the correct direction: show policy-map control-plane.
  • Verify that the policy-map is correctly configured; show policy-map
  • Check the correct class-map, rate or CIR, conform-action, exceed-action,correct order.
  • Order of operations: classes defined are processed from top to down.
  • Class-map: has the correct class-map been configured correctly.
  • Policy: Ensure the correct CIR in bps and rate in pps have been configured. In some IOS versions, if traffic that matches a class is to be dropped, replace police command with drop keyword.
  • Default-class: if traffic does not match any defined class, it will be subjected to conditions laid out in the default class.
  • Case: class names are case sensitive.

Service Policy

When troubleshooting the application of a service policy;

  • Correct interface: service policy can be applied only to one interface, the control-plane. If applying to a physical interface, ensure that the service policy is configured on the correct interface. Confirm with show policy-map interface <interface-name>
  • Direction: input for incoming packets. Confirm direction with; show policy-map control-plane. Not all IOS versions support output. For routing protocols, output CoPP would be for replies to queries / requests or ACKs. For ICMP; error or informational reply, for telnet, SSH, HTTP, SNMP replies or traps. Ensure the ACL and class-map are configured appropriately for replies.
  • Case: Policy maps are case-sensitive; verify with show policy-map control-plane
  • .

No comments: