Menu

US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Protect the Control Plane – part 2, CoPP.

Protect the Control Plane – part 2, CoPP.

Author:


05.06.2016

After we prove the CPU utilization can be easily increased by anyone anytime (as shown in the previous blog  post, “Protect the Control Plane – part 1, trivial attack.”), I feel obliged to show how to quickly prevent the cause of potential network and services damage. I will use the Cisco Cat6500 example, but of course the technique and idea applies to other vendors (if vendor supports it). Cisco in IOS/XE/XR operating systems gives the Control Plane Policing (CoPP) and Control Plane Protection (CPPr) mechanisms. Not going into details at the moment those two techniques relays on policing an unwanted traffic, but both techniques differs. The approach in CoPP puts the policing on aggregate traffic going in to the CPU, the CPPr makes the policing more granular and divides the traffic into three types (host, CEF-exception, transit). I will explain those approaches in details later on. Implementing CoPP/CPPr is like building QoS with MQC (Modular QoS CLI).

To limit ICMP spikes,

1. Define the icmp traffic types with acl and class maps:

ip access-list extended icmp
ip icmp any any
class-map match-all CoPP_ICMP
match access-group name CoPP_ICMP

2. Define a policy map

policy-map CoPP
 class CoPP_ICMP
 police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action drop violate-action drop
 class class-default
 police cir 10000000 bc 312500 be 312500 conform-action transmit exceed-action transmit violate-action transmit

3. Apply

control-plane
 service-policy input CoPP

Testing this we used simultaneous Windows7 based ICMP (regular ping) and ASA sourced large size ping packets. Screen from ASA output during CoPP applying process shows clearly the moment:

Control Plane Policing CoPP

 

See that Windows ICMP is not changed because of policing (limit the receiving packet rate), not dropping the input traffic.

Control Plane Policing CoPP

 

Now from the network Core point of view, it is clearly seen the CPU spike (moment of DoS) and normalization (moment of CoPP application):

Control Plane Policing CoPP

 

And policy map counters show all violating packets and conform packets.

ScreenShot150

 

So far so good. Later, I will concentrate on building “best practice” full control plane security policy. But is worth to underline that above policy doesn’t care about the remaining control plane traffic (class default hs transmit actions even for violate traffic).

Notice: Use CoPP and CPPr carefully. Using those techniques without theory background can cause outages of network services including management communication with devices.

Author

Grandmetric

Grandmetric is an IT Next Generation Systems integration company helping clients with their IT transformation, infrastructure automation, LAN, WiFi, SD-WAN & SDN delivery. Fast growing Grandmetric team is becoming also a referal point in Cloud migrations and DC Stack management with their Storage, OS and virtualization experience. Grandmetric provides technical insights along with technical trainings in areas of expertise. Latest projects cover also IoT subjects R&D in the area of IoT backend development, big data analysis and monitoring. Based on above experience in production systems maintenance, new division – Grandmetric Managed Services (GMS) maintaining IT infrastructure of corporates & globally present customers is available for demanding IT environments.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter!


Grandmetric