Configuring Software-Based CoPP
Creating a CoPP action requires a acceptable compassionate of which ascendancy even and
management even protocols and casework are in use. In addition, you charge accept the
packet amount that those protocols and casework require. Too low a amount for a amount absolute can
cause problems with casual accustomed traffic, and too aerial a amount can acquiesce attacks to slip
through.
The recommended adjustment to advance a acceptable CoPP action is to abstracted the different
protocols and casework into groups based on about importance.
The best accepted adjustment is to ascertain the bristles afterward groups of cartage classes: critical,
important, normal, undesirable, and default:
• Analytical cartage class. Contains cartage that is acute to the operation of the about-face and
network. Examples are acquisition agreement traffic, such as Open Shortest Path First
(OSPF) and Border Gateway Agreement (BGP). This cartage should not be rate-limited
or accept a aerial rate-limit value.
• Important cartage class. Contains cartage that is all-important for accustomed day-to-day
operations. This includes alien admission (SSH and Telnet), arrangement management
protocols (SNMP), and Arrangement Time Agreement (NTP). This cartage should be ratelimited,
but with a almost aerial value.
Line Card
CPU
(Control Plane)
Control Even Interface
Forwarding Plane
(Data Plane)
Switch (config)#control-plane
Switch (config-cp)#service-policy ascribe name
Line Card
208 Chapter 13: Ascendancy Even Policing
• Accustomed cartage class. Contains cartage that is expected, but not capital to, network
operation. This includes ICMP answer requests and ICMP TTL exceeded. This traffic
should be rate-limited, but with a low amount to abstain misuse.
• Abominable cartage class. Contains cartage that is articular as bad. This cartage should
always be dropped.
• Absence cartage class. Contains cartage that has not been classified. This cartage class
should be monitored to see if it contains any cartage that should be confused to another
class. This cartage should be rate-limited to abstain misuse.
The aboriginal affair to do is to actualize ACLs that bout the cartage for the altered classes. You
need alone four ACLs because the absence chic picks up aggregate that the aboriginal four classes
do not. Example 13-7 shows how these ACLs ability look.
Example 13-7 ACLs Used to Classify Traffic
access-list 120 acknowledgment CoPP ACL for analytical traffic
! acquiesce BGP from a accepted associate to this router’s BGP TCP port
access-list 120 admittance tcp host 47.1.1.1 host 10.9.9.9 eq bgp
! acquiesce BGP from a peer’s BGP anchorage to this router
access-list 120 admittance tcp host 47.1.1.1 eq bgp host 10.9.9.9
access-list 120 admittance tcp host 10.86.183.120 host 10.9.9.9 eq bgp
access-list 120 admittance tcp host 10.86.183.120 eq bgp host 10.9.9.9
access-list 121 acknowledgment CoPP Important traffic
! admittance acknowledgment cartage from TACACS host
access-list 121 admittance tcp host 1.1.1.1 host 10.9.9.9 established
! ssh admission to the router from a subnet
access-list 121 admittance tcp 10.0.0.0 0.0.0.255 host 10.9.9.9 eq 22
! telnet admission to the router from a subnet
access-list 121 admittance tcp 10.86.183.0 0.0.0.255 any eq telnet
! SNMP admission from the NMS host to the router
access-list 121 admittance udp host 1.1.1.2 host 10.9.9.9 eq snmp
! Acquiesce the router to accept NTP packets from a accepted alarm source
access-list 121 admittance udp host 1.1.1.3 host 10.9.9.9 eq ntp
access-list 122 acknowledgment CoPP accustomed traffic
! admittance router originated traceroute
access-list 122 admittance icmp any any ttl-exceeded
access-list 122 admittance icmp any any port-unreachable
! admittance cancellation of responses to router originated pings
access-list 122 admittance icmp any any echo-reply
! acquiesce pings to router
access-list 122 admittance icmp any any echo
access-list 123 acknowledgment absolutely authentic “undesirable” traffic
! permit, for policing, all cartage destined to UDP 1434
access-list 123 admittance udp any any eq 1434
Implementing Software-Based CoPP 209
The abutting footfall is to actualize chic maps that tie the ACLs into a cartage class. A chic map can
combine abounding ACLs into one cartage chic but, in this case, you accept one-to-one mapping,
as Example 13-8 shows.
You now tie the chic maps into a action map area you can accredit amount banned to the
different classes, as Example 13-9 shows.
The CoPP action is again absorbed to the ascendancy even interface:
Switch(config)#control-plane
Switch(config-cp)#service-policy ascribe CoPP
To adviser the cachet of ascendancy even cartage and how it is actuality rate-limited, use the show
policy-map control-plane command, as Example 13-10 shows.
Example 13-8 Defining the Chic Maps and Tying Them to the Previously Authentic ACLs
class-map CoPP-critical
match access-group 120
class-map CoPP-important
match access-group 121
class-map CoPP-normal
match access-group 122
class-map CoPP-undesirable
match access-group 123
Example 13-9 Creating the Action Map and Assigning Amount Limits
! This action allows all analytical cartage to be actually transmitted
! behindhand of the rate. Added cartage is amount bound except for cartage defined
! as abominable which is actually dropped.
policy-map CoPP
class CoPP-critical
police 31500000 conform-action address exceed-action transmit
class CoPP-important
police 125000 3906 3906 conform-action address exceed-action drop
class CoPP-normal
police 64000 2000 2000 conform-action address exceed-action drop
! This action drops all cartage categorized as undesirable, behindhand of rate.
class CoPP-undesirable
police 32000 1500 1500 conform-action bead exceed-action drop
! This chic picks up all added traffic
class class-default
police 1000000 31250 31250 conform-action address exceed-action drop
210 Chapter 13: Ascendancy Even Policing
Example 13-10 Displaying the Cachet of CoPP (Catalyst 6500 Running IOS 12.2(18)SXF)
Switch#show policy-map control-plane
Control Even Interface
Service-policy input: CoPP
Class-map: CoPP-critical (match-all)
372 packets, 28103 bytes
5 minute offered amount 0 bps, bead amount 0 bps
Match: access-group 120
police:
cir 31500000 bps, bc 984375 bytes
conformed 372 packets, 28103 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: transmit
conformed 0 bps, beat 0 bps
Class-map: CoPP-important (match-all)
0 packets, 0 bytes
5 minute offered amount 0 bps, bead amount 0 bps
Match: access-group 121
police:
cir 125000 bps, bc 3906 bytes
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
conformed 0 bps, beat 0 bps
Class-map: CoPP-normal (match-all)
5 packets, 570 bytes
5 minute offered amount 0 bps, bead amount 0 bps
Match: access-group 122
police:
cir 64000 bps, bc 2000 bytes
conformed 5 packets, 570 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
conformed 0 bps, beat 0 bps
Class-map: CoPP-undesirable (match-all)
0 packets, 0 bytes
5 minute offered amount 0 bps, bead amount 0 bps
Match: access-group 123
police:
cir 32000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; action: drop
exceeded 0 packets, 0 bytes; action: drop
violated 0 packets, 0 bytes; action: drop
conformed 0 bps, beat 0 bps, breach 0 bps
Class-map: class-default (match-any)
10891 packets, 1077701 bytes
5 minute offered amount 0 bps, bead amount 0 bps
Match: any
police:
cir 1000000 bps, bc 31250 bytes
conformed 10900 packets, 1079262 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
conformed 1000 bps, beat 0 bps
Example 13-10 shows how abundant cartage has been rate-limited and forwarded and the
current amount limits. On a hardware-based platform, the achievement shows both the hardwarebased
and software-based CoPP amount limiters.