ccie.nyquist.eu
Search…
Table of Contents
Layer 2 Technologies
Ethernet Switching
Layer 2 WAN Protocols
IPv4
IPv4 Addressing
IPv4 Routing
IPv6
IPv6-101
IPv6 Routing
Interconnecting IPv6 and IPv4
MPLS
MPLS 101
MPLS L3 VPN
Multicast
Multicast 101
PIM 101
IGMP 101
Inter Domain Multicast
IPv6 Multicast
Multicast features on switches
Security
NAT 101
NAT for Overlapping Networks
ACLs 101
ACLs 102
Cisco IOS Firewall
Zone Based Firewall
AAA 101
Controlling CLI Access
Control Plane
Switch Security
IPSec VPN 101
DMVPN 101
Network Services
NTP 101
HTTP 101
File Transfer 101 – TFTP & FTP
WCCP 101
QoS
QoS 101
Classification and Marking
Congestion Management
Congestion Avoidance – WRED
Policing and Shaping
Compression and LFI
Frame Relay QoS
RSVP 101
Switching QoS
Network Optimization
NetFlow 101 – TNF – Traditional NetFlow
NetFlow 102 – FNF – Flexible NetFlow
IP SLA 101
IP Accounting 101
Logging 101
SNMP and RMON 101
Cisco CLI Tips and Tricks
AutoInstall
Enhanced Object Tracking
Network Architecture
Hierarchical Network Architecture
Powered By GitBook
Control Plane

CoPP – Control Plane Policing

Control Plane Policing is used to apply policy maps to traffic going to or coming from the control plane. This feature also mitigates DoS attacks by filtering traffic that arrives at the processor. First, you should define a policy-map using MQC. Then, apply this policy map to the control-plane:
R(config)# control-plane
R(config-cp)# service-policy {input|output} POLICY-MAP

CoPPr – Control Plane Protection

Control Plane Protection is similar to the policing feature, except it offers a more granular access to the control plane functions. You still need to define a policy-map using MQC. But now you can apply it on a sub-interface of the virtual control-plane interface:
R(config)# control-plane {host|transit|cef-exception}
! host - controls traffic that is directly destined for one of the router interfaces
! transit - controls traffic that is software-switched
! cef-exception - controls traffic that cannot be switched by CEF
R(config-cp-transit)# service-polcy input POLICY-MAP

Layer 4 Port Protection

On the host subinterface you can use a special type of policy-map to deny access-to specific ports. First create the special class-map and policy-map:
R(config)# class-map type port-filter [match-all|match-any] PORT-FILTER-CLASS
R(config-cmap)# match [not] {closed-ports|port {tcp|udp} START-PORT [END-PORT]}
The closed-ports keyword should mean all ports that are not open on the control plane. Filtering traffic to the closed ports should spare the processor from unnecessary work. To see a list of open ports, use:
R# show control-plane host open-ports
Beware of the fact that some protocols (usually routing protocols) will not show up with open ports, so they should be specifically allowed if they are used. Then create the policy map:
R(config)# policy-map type port-filter PORT-FILTER-POLICY
R(config-pmap)# class PORT-FILTER-CLASS
R(config-pmap-c)# drop
In the end, apply it on the host subinterface:
R(config-cp-host)# service-policy type port-filter input PORT-FILTER-POLICY

Queue Threshold Protection

Similar to the previous feature, you can set how long the queue of the control-plane host subinterface can be. Follow these steps to define the class-map and the policy-map:
R(config)#class-map type queue-threshold [match-all|match-any] QUEUE-TH-CLASS
R(config-cmap)# match [not] {protocol [PROTOCOL]|host-protocols}
! host-protocols - any open TCP/UDP port on the router
R(config)# policy-map type queue-threshold QUEUE-TH-POLICY
R(config-pmap)# class QUEUE-TH-CLASS
R(config-pmap-c)# queue-limit LIMIT
Then, apply it on the host subinterface:
R(config-pmap-host)# service-policy type queue-threshold input QUEUE-TH-POLICY

Managenet Interfaces

Additionally, on the host subinterface, you can define what management protocols are allowed on each physical interface:
R(config-cp-host)# management-interface INTERFACE allow [PROTOCOL]

Control Plane Logging

For traffic that arrives at the control plane (that is traffic that is not cef-switched), the control-plane can limit the amount of logging it does. To enable this feature, first define a logging class-map and policy-map:
R(config)# class-map type logging match-all LOG-CLASS
! Match by input interface:
R(config-cmap)# match [not] input-interface INTERFACE
! Match on source or destination address
R(config-cmap)# match [not] ipv4 {destination-address|source-address} IP-ADDR
! Match on packet action
R(config-cmap)# match [not] packets {dropped|error|permitted}
R(config)# policy-map type logging LOG-POLICY
R(config-pmap)# class LOG-CLASS
R(config-pmap-c)# log [interval SEC|total-length|ttl]
! interval - logs packets at the specified interval
! total-length - logs also packet length
! ttl - logs also ttl value
Apply the logging policy-map to the control plane interface or one of its subinterfaces:
R(config)# control-plane [host|transit|cef-exception]
R(config-cp)# service-policy type logging input LOG-POLICY
Security - Previous
Controlling CLI Access
Next - Security
Switch Security
Last modified 10mo ago
Copy link
On this page
CoPP – Control Plane Policing
CoPPr – Control Plane Protection
Layer 4 Port Protection
Queue Threshold Protection
Managenet Interfaces
Control Plane Logging