How to configure CoPP template on Cisco devices

CoPP (Control Plane Policying) should be used to protect RP on the Cisco devices by unnecessary and malicious traffic. The traffic managed by the RP(Route Processor) is divided into three functional planes, Data plane, Management Plane, Control plane.
How identify control plane traffic? simply said traffic is destined to the device that you want to apply. such as Routing traffic, SNMP, SSH, Telnet, NTP and so on.
Basically, you want to project, reserve and limit to communication route to the device.
It uses a MQC(Modular QoS CLI). See below template.
Don’t forget to apply control plane interface.

 

Configuring ACL

ip access-list extended CRITICAL_TRAFFIC
remark CoPP ACL for Critical traffic
permit ospf host[OSPF neighbor] any
permit pim any any
permit pim host [RP address] any
permit igmp any 224.0.0.0 15.255.255.255 or any
permit tcp any any eq bgp
permit tcp any eq bgp any
deny   ip any any

ip access-list extended IMPORTANT_TRAFFIC
remark CoPP ACL for Important traffic
permit tcp host x.x.x.x eq tacacs any
permit tcp x.x.x.x 0.0.255.255 any eq 22
permit udp host x.x.x.x any eq snmp
permit udp host x.x.x.x eq ntp any
deny   ip any any

ip access-list extended NORMAL_TRAFFIC
remark CoPP ACL for Normal traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny   ip any any

ip access-list extended UNDESIRABLE_TRAFFIC
remark CoPP ACL for undesirable traffic
permit udp any any eq ntp
permit udp any any eq snmptrap
permit tcp any any eq 22
permit tcp any any eq telnet
permit eigrp any any
deny   ip any any

ip access-list extended DEFAULT_TRAFFIC
remark CoPP ACL for rest of the IP traffic
permit ip any any

Configuring Class-map

class-map match-all CoPP_CRITICAL
match access-group name CRITICAL_TRAFFIC

class-map match-any CoPP_IMPORTANT
match access-group name IMPORTANT_TRAFFIC
match protocol arp

class-map match-all CoPP_NORMAL
match access-group name NORMAL_TRAFFIC

class-map match-all CoPP_UNDESIRABLE
match access-group name UNDESIRABLE_TRAFFIC

class-map match-all CoPP_DEFAULT
match access-group name DEFAULT_TRAFFIC

Configuring policy-map

policy-map CoPP_POLICY
class CRITICAL_TRAFFIC
police 512000 8000    conform-action transmit     exceed-action transmit
class IMPORTANT_TRAFFIC
police 256000 4000    conform-action transmit     exceed-action drop
class NORMAL_TRAFFIC
police 128000 2000    conform-action transmit     exceed-action drop
class UNDESIRABLE_TRAFFIC
police 8000 1000    conform-action drop     exceed-action drop
class DEFAULT_TRAFFIC
police 64000 1000    conform-action transmit     exceed-action drop

Applying

control-plane
service-policy input CoPP_POLICY

* If CoPP is not supported then the try below

ip receive acl 199

access-list 199 remark allow specific management plane traffic
access-list 199 deny ip any any fragments
access-list 199 permit tcp [management IP block] 0.0.0.255 any eq 22
access-list 199 permit udp host [SNMP host] any eq snmp
access-list 199 permit tcp host [TACACS host] any eq tacacs any
access-list 199 permit udp host [NTP host] eq ntp any
access-list 199 permit icmp [management IP block] 0.0.0.255 any
access-list 199 permit remark specific control plane traffic
access-list 199 permit ospf host [OSPF neighbor] any
access-list 199 permit pim host [PIM neighbor] any
access-list 199 permit pim host [PR address] any
access-list 199 permit igmp any 224.0.0.0 15.255.255.255
access-list 199 permit tcp host [BGP neighbor] eq bgp host [local BGP address]
access-list 199 permit tcp host [BGP neightbor] host [local BGP address] eq bgp
access-list 199 permit remark all other traffic destined to the device is dropped
access-list 199 permit deny ip any any

** If CoPP and receive path filter are not supported, then create ACL and apply each interface.

 

http://www.ipbalance.com/security/security-general/611-how-to-configure-copp-template-on-cisco-devices.html

 

This entry was posted in Cisco and tagged , . Bookmark the permalink.

One Response to How to configure CoPP template on Cisco devices

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s