Professional Documents
Culture Documents
CoPP
CoPP
CoPP
On our routers (or multilayer switches) we can use access-lists or firewalls (CBAC or zone
based) to permit/deny packets that go through or to the router.
We can also use policing to rate limit that goes through our router.
What if we want to police traffic that is destined to the router? There are quite some protocols
that produce packets that the router has to process:
The route processor inspects packets that these protocols generate on the control plane. When
the route processor receives too many packets, it’s possible that it can’t keep up and drops
packets.
When this happens, you’ll see things like flapping neighbor adjacencies or timeouts when
you try to connect with telnet/SSH to the router.
rACLs (Receive Access Control List): these are standard or extended ACL that
control traffic sent by line cards to the route processor. You only see this feature on
high-end routers like the Cisco 12000 series.
Control Plane Policing (CoPP): allows you to use MQC (Modular Quality of
Service) framework to permit/deny or rate-limit traffic that goes to the route
processor.
Control Plane Protection (CPPr): this is an extension of CoPP. One of the things it
does is separating the route processor into three sub-interfaces:
o host
o transit
o CEF exception
Configuration
To demonstrate CoPP, I use the following topology:
Here’s what we have:
Want to take a look for yourself? Here you will find the startup configuration of each device.
Control plane policing uses the MQC so that means we have to use class-maps and a policy-
map. In your class-maps, it’s best to match traffic on:
Let’s create some access-lists that match traffic on the control plane that we can use in our
class-maps:
R1(config)#class-map ICMP
R1(config-cmap)#match access-group name ICMP
R1(config)#class-map TELNET
R1(config-cmap)#match access-group name TELNET
R1(config)#class-map OSPF
R1(config-cmap)#match access-group name OSPF
R1(config)#class-map HSRP
R1(config-cmap)#match access-group name HSRP
R1(config)#policy-map COPP
R1(config-pmap)#class ICMP
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action
transmit
R1(config-pmap-c)#exit
R1(config-pmap)#class TELNET
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action
transmit
R1(config-pmap-c)#exit
R1(config-pmap)#class OSPF
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action
transmit
R1(config-pmap-c)#exit
R1(config-pmap)#class HSRP
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action
transmit
R1(config-pmap-c)#exit
In the policy-map, I add policers for 8000 bps and the conform-action and exceed-action are
both set to transmit. These policers will never drop anything but there is a good reason I
configure it like this.
When you configure CoPP for the first time, you don’t know how much packets you receive
for each protocol. There is a risk that you deny legitimate traffic. It’s best to permit
everything. Once you know how much packets are exceeding, change the values and set the
exceed action to drop.
We need to attach this policy-map to the control plane. We do this with the following
command:
R1(config)#control-plane
R1(config-cp)#?
Control Plane configuration commands:
exit Exit from control-plane configuration mode
no Negate or set default values of a command
service-policy Configure QOS Service Policy
When you choose the service-policy command, you have a couple of options:
R1(config-cp)#service-policy ?
input Assign policy-map to the input of an interface
output Assign policy-map to the output of an interface
type type of the policy-map
You can enable the policy-map in- or outbound. Type can be used if you want to log
incoming packets.
I want to police incoming traffic destined to the router so let’s select the input option:
R1#
%CP-5-FEATURE: Control-plane Policing feature enabled on Control plane
aggregate path
Ok nice, now what? Let’s figure out if our policy-map is working or not. I’ll generate some
traffic from H1. Let’s send some pings and try telnet:
H1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/10 ms
H1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
The output above is looking good; we see some matches in every class-map that we
configured and all traffic is conformed. In my lab, there isn’t much traffic.
In a production network, you might want to run it like this for a few days to see how much of
your traffic is conformed or exceeded.
What about the class-default class-map? This includes all layer two protocols. The only
layer two protocol you can assign to a different class-map is ARP. Everything else is assigned
to class-default.
Our policy-map is up and running but even exceeding traffic is permitted. Let’s change the
exceed action for our ICMP traffic:
Let’s add a policer to the ICMP class-map:
R1(config)#policy-map COPP
R1(config-pmap)#class ICMP
R1(config-pmap-c)#police cir 8000 conform-action transmit exceed-action
drop
The police rate is only 8000 bits so even some simple pings will be rate limited. Let’s
generate some traffic from H1:
Above we can see that three packets exceeded and got dropped. You have now seen
everything you need to create control plane policing policy-maps for your routers.
Want to take a look for yourself? Here you will find the configuration of each device.
Conclusion
You have now learned how to use CoPP (Control Plane Policing) to rate limit packets to and
from the route processor on the control plane.
I hope you enjoyed this lesson. If you have any questions feel free to leave a comment!