Control Even Policing
As explained in Chapter 12, “Introduction to Denial of Service Attacks,” the ascendancy plane
is the best analytical even on a switch; a acknowledged advance adjoin it can potentially account the
most damage.
To abate attacks adjoin the ascendancy plane, ascendancy even policing (CoPP) was introduced.
The abstraction is to audit cartage destined to the ascendancy plane, to ascendancy what should be allowed,
and to ascendancy how abundant of that cartage to accept.
CoPP gives added account over acceptable admission ascendancy lists (ACL) implemented on port
level because it is now accessible to specify which affectionate of flows are accustomed but, at the same
time, accomplish abiding they do not beat a CPU.
An added account is that it is accessible to apparatus CoPP in the approachable direction, which
makes it accessible to ascendancy the advice that the about-face sends out. This helps to mitigate
reconnaissance attacks.
Also, on high-end platforms, this analysis takes abode in hardware, which makes it an
efficient process.
Figure 13-1 shows how a CoPP accomplishing looks on a broadcast platform.
Figure 13-1 Ascendancy Even Policing
Control Plane
Management
SNMP, Telnet
Control Even Policing−Input Silent Mode
(Reconnaissance Prevention)
Input
to the Ascendancy Plane
Processor
Switched Packets
CEF/FIB Lookup