© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Network Foundation Protection Securing the Control Plane

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Router Control Plane Collection of processes Run at the process level Route Processor Control Plane Central Switch Engine Line Cards LegacyDistributed Distributed Switch Engine All IP packets that are destined for the control plane should pass through the central switch engine before they are forwarded to the process level.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Tools for Securing the Control Plane Control Plane Protection feature Control Plane Policing Cisco AutoSecure CPU and Memory Threshold Notifications

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Control Plane Protection A framework Provides for all policing and protection Extends the CoPP functionality Finer granularity Traffic classifier Port filtering Queue threshold

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Control Plane Architecture with CPPr Incoming Packets Cisco Express Forwarding/ FIB Lookup Output Packet Buffer Classify Aggregate CoPP Cisco Express Forwarding Input Packet Buffer CoPP PFQTCoPP Control Feature Path BGP HTTP SNMP OSPF Port Filter Policy Queue Shareholding Control Plane Host Subinterface Control Plane Transit Subinterface Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring CPPr Configure CoPP. (Optional) Configure port-filter policy. (Optional) Configure queue-threshold policy.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Example of CoPP router(config)# ip access-list extended CP-acl router(config-ext-nacl)# deny tcp host any eq telnet router(config-ext-nacl)# deny tcp host any eq www router(config-ext-nacl)# permit tcp any any eq telnet router(config-ext-nacl)# permit tcp any any eq www router(config-ext-nacl)# exit router(config)# class-map match-any CP-class router(config-cmap)# match access-group name CP-acl router(config-cmap)# exit router(config)# policy-map CP-policy router(config-pmap)# class CP-class router(config-pmap-c)# police rate pps conform-action transmit exceed-action drop router(config-pmap-c-police)# exit router(config-pmap-c)# exit router(config-pmap)# exit router(config)# control-plane host router(config-cp-host))# service-policy input CP-policy router(config-cp-host)# end Administrator

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring Port Filter Policies Define port-filter packet classification criteria. Define a port-filter service policy. Apply the port-filter service policy to the host subinterface.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Example of Port Filtering router(config)# class-map type port-filter match-all PF-class router(config-cmap)# match closed-ports router(config-cmap)# exit router(config)# policy-map type port-filter PF-policy router(config-pmap)# class PF-class router(config-pmap-c)# drop router(config-pmap-c)# exit router(config-pmap)# exit router(config)# control-plane host router(config-cp-host)# service-policy type port-filter input PF-policy Administrator

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring a Queue-Threshold Policy Define queue-threshold packet classification criteria. Define a queue-threshold service policy. Apply the queue-threshold policy to the host subinterface.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Example of Queue Thresholding class-map type queue-threshold match-all QT-class match protocol bgp policy-map type queue-threshold QT-policy class QT-class queue-limit 100 control-plane host service-policy type queue-threshold input QT-policy Administrator

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying CPPr router# show policy-map control-plane all router# show policy-map type port-filter control-plane all router# show policy-map type queue-threshold control-plane all

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying CPPr (Cont.) router# show policy-map control-plane all Control Plane Host Service-policy input: CP-policy Class-map: CP-class (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name CP-acl 0 packets, 0 bytes 5 minute rate 0 bps police: rate pps, burst packets conformed 0 packets; actions: transmit exceeded 0 packets; actions: drop conformed 0 pps, exceed 0 pps Class-map: class-default (match-any) 904 packets, bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying CPPr (Cont.) router# show policy-map type port-filter control-plane all drop Control Plane Host Service-policy port-filter input: PF-policy Class-map: PF-class (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: closed-ports Class-map: class-default (match-any) 1754 packets, bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: any

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying CPPr (Cont.) router# show policy-map type queue-threshold control-plane all queue-limit 100 queue-count 0 packets allowed/dropped 0/0 Control Plane Host Service-policy queue-threshold input: QT-policy Class-map: QT-class (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol bgp Class-map: class-default (match-any) 378 packets, bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary A control plane is a collection of processes. There are several tools available for securing the control plane. CPPr is a framework. The control plane architecture consists of the control plane and its subinterfaces. CoPP configuration is a component of CPPr configuration. Port filtering is another component of CPPr. Queue thresholding is another component of CPPr. The show policy-map command is used to verify CPPr.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v