Control Plane Policing (CPP)

Posted on by
Most of the traffic travels through the router via the data plane, but a RP must handle some things, like routing updates, or network management traffic, Control Plane Policing (CPP) (or CoPP for the 6500 implementation)), is a dedicated control plane and can be configured with MQC to provide filtering and policing.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html
</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Router>en</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Router#conf ter</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Enter configuration commands, one per line.  End with CNTL/Z.</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Router(config)#hostname R2</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#int f1/0</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-if)#ip add 10.1.12.2 255.255.255.0</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-if)#no sh</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-if)#exit</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#do ping 10.1.12.1</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Type escape sequence to abort.</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">.!!!!</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Success rate is 80 percent (4/5), round-trip min/avg/max = 8/58/116 ms</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#ip access-list ex 101</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-ext-nacl)#permit icmp any any</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-ext-nacl)#exit</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#class-map ICMP</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cmap)#ma access-group 101</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cmap)#exit</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#policy-map TEST</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-pmap)#class ICMP</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-pmap-c)#drop</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-pmap-c)#exit</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-pmap)#control-plane</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#?</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Control Plane configuration commands:</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">exit            Exit from control-plane configuration mode</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">no              Negate or set default values of a command</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">service-policy  Configure QOS Service Policy</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#service-policy in TEST</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#do show pol</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">*Feb 28 00:53:03.359: %CP-5-FEATURE: Control-plane Policing feature enabled on</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">ontrol plane aggregate path</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">icy-map</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#do show policy-map</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Policy Map TEST</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Class ICMP</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">drop</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#no service-policy in TEST</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#do deb ip icmp</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">ICMP packet debugging is on</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">*Feb 28 00:53:47.287: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">*Feb 28 00:53:47.351: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">*Feb 28 00:53:47.403: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">*Feb 28 00:53:47.411: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">*Feb 28 00:53:47.419: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#control-plane</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#service-policy in TEST</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">*Feb 28 00:53:56.139: %CP-5-FEATURE: Control-plane Policing feature enabled on</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">ontrol plane aggregate path</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config-cp)#do deb ip packet</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">IP packet debugging is on</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">R2(config)#do show policy-map control-plane all</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Control Plane</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Service-policy input: TEST</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Class-map: ICMP (match-all)</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">15 packets, 1710 bytes</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">5 minute offered rate 0 bps, drop rate 0 bps</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Match: access-group 101</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">drop</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Class-map: class-default (match-any)</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">14 packets, 1420 bytes</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">5 minute offered rate 0 bps, drop rate 0 bps</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Match: any</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">
So ICMP was silently dropped
You can use these amazing feature, to limit for exameple SYN destinated to the RP – Just a thought
Victor.-

Most of the traffic travels through the router via the data plane, but a RP must handle some things, like routing updates, or network management traffic, Control Plane Policing (CPP) (or CoPP for the 6500 implementation)), is a dedicated control plane and can be configured with MQC to provide filtering and policing.


Router
Router#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int f1/0
R2(config-if)#ip add 10.1.12.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#
R2(config)#
R2(config)#do ping 10.1.12.1
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/58/116 ms

R2(config)#
R2(config)#ip access-list ex 101
R2(config-ext-nacl)#permit icmp any any
R2(config-ext-nacl)#exit
R2(config)#class-map ICMP
R2(config-cmap)#ma access-group 101
R2(config-cmap)#exit
R2(config)#policy-map TEST
R2(config-pmap)#class ICMP
R2(config-pmap-c)#drop
R2(config-pmap-c)#exit
R2(config-pmap)#control-plane
R2(config-cp)#?
Control Plane configuration commands:

exit            Exit from control-plane configuration mode
no              Negate or set default values of a command
service-policy  Configure QOS Service Policy
R2(config-cp)#service-policy in TEST
*Feb 28 00:53:03.359: %CP-5-FEATURE: Control-plane Policing feature enabled on
ontrol plane aggregate path

R2(config-cp)#do show policy-map
Policy Map TEST
Class ICMP
drop
R2(config-cp)#no service-policy in TEST
R2(config-cp)#do deb ip icmp
ICMP packet debugging is on
R2(config-cp)#
*Feb 28 00:53:47.287: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
*Feb 28 00:53:47.351: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
*Feb 28 00:53:47.403: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
*Feb 28 00:53:47.411: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
*Feb 28 00:53:47.419: ICMP: echo reply sent, src 10.1.12.2, dst 10.1.12.1
R2(config-cp)#
R2(config-cp)#
R2(config-cp)#control-plane
R2(config-cp)#service-policy in TEST
R2(config-cp)#
R2(config-cp)#
R2(config-cp)#

*Feb 28 00:53:56.139: %CP-5-FEATURE: Control-plane Policing feature enabled on
ontrol plane aggregate path

R2(config-cp)#
R2(config-cp)#do deb ip packet
IP packet debugging is on
R2(config)#do show policy-map control-plane all
Control Plane
Service-policy input: TEST
Class-map: ICMP (match-all)
15 packets, 1710 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 101
drop
Class-map: class-default (match-any)
14 packets, 1420 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

ICMP was silently dropped

You can use these amazing feature, to limit for exameple SYN destinated to the Route Processor – Just a thought

A Networker Blog

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s