Professional Documents
Culture Documents
Control Plane Policing: CCIE Security V4 Technology Labs Section 1: System Hardening and Availability
Control Plane Policing: CCIE Security V4 Technology Labs Section 1: System Hardening and Availability
Control Plane Policing: CCIE Security V4 Technology Labs Section 1: System Hardening and Availability
Control Plane Policing
Last updated: May 3, 2013
Task
Load the starting configuration files for this task.
Using Control Plane Policing, prevent R3 from being flooded with UDP DoS attack packets.
UDP packets should be limited to 16 Kbps.
Other traffic to the router should be left unimpeded.
You can begin this task by getting a baseline. Look at the CPU on R3 with nothing happening in the
network.
R3#sh proc
R3#sh processes cpu sorted
CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 1%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
114 8 296567 0 0.55% 0.54% 0.54% 0 Ethernet Msec Ti
Next, on the Test PC, launch a UDP attack against R3's IP address using UDP unicorn.
Now look at the CPU again.
R3#
R3#sh processes cpu sorted
CPU utilization for five seconds: 87%/29%; one minute: 65%; five minutes: 25%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
142 80924 7339 11026 55.95% 41.62% 15.64% 0 IP Input
As you can see, with the little flood we have done the CPU has increased substantially. Now we
can deploy the policing requirements.
Control-plane policing is done using the same type of command set as the MQC, that of class-map,
policy-map, and service-policy. Create the required elements and apply them to the control-plane,
as shown below.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip access-l extended UDP-Floods
R3(config-ext-nacl)#permit udp any any
R3(config-ext-nacl)#exit
R3(config)#class-map match-all UDP
R3(config-cmap)#match access-group name UDP-Floods
R3(config-cmap)#
R3(config-cmap)#policy-map 1.8
R3(config-pmap)#class UDP
R3(config-pmap-c)#police 16000 conform-action transmit exceed-action drop
R3(config-pmap-c-police)#exit
R3(config-pmap-c)#
R3(config-pmap-c)#control-plane
R3(config-cp)#serv
R3(config-cp)#service-policy input 1.8
R3(config-cp)#end
R3#
As you can see, the policy is being matched. Now look at the CPU again.
R3#sh processes cpu sorted
CPU utilization for five seconds: 56%/56%; one minute: 11%; five minutes: 10%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
114 4860 385470 12 3.67% 1.16% 0.68% 0 Ethernet Msec Ti