Deploying Control Plane Policing
PROTECTING THE ROUTE PROCESSOR
A router can be logically divided into four functional components or planes:
1. Data Plane
2. Management Plane
3. Control Plane
4. Services Plane
The vast majority of traffic travels through the router via the data plane; however, the Route Processor must handle certain packets, such as routing updates, keepalives, and network management. This is often referred to as control and management plane traffic.
Because the Route Processor is critical to network operations, any service disruption to the Route Processor or the control and management planes can result in business-impacting network outages. A DoS attack targeting the Route Processor, which can be perpetrated either inadvertently or maliciously, typically involves high rates of punted traffic that result in excessive CPU utilization on the Route Processor itself. This type of attack, which can be devastating to network stability and availability, may display the following symptoms:
• High Route Processor CPU utilization (near 100%)
• Loss of line protocol keepalives and routing protocol updates, leading to route flaps and major network transitions
• Interactive sessions via the Command Line Interface (CLI) are slow or completely unresponsive due to high CPU utilization
• Route Processor resource exhaustion-resources such as memory and buffers are unavailable for legitimate IP data packets
• Packet queue backup, which leads to indiscriminate drops (or drops due to lack of buffer resources) of other incoming packets
CPP addresses the need to protect the control and management planes, ensuring routing stability, availability, and packet delivery.
It uses a dedicated control-plane configuration via the Modular QoS CLI (MQC) to provide filtering and rate limiting capabilities for control plane packets.
Figure 1 illustrates the flow of packets from various interfaces. Packets destined to the control plane are subject to control plane policy checking, as depicted by the control plane services block.
Figure 1. Packet Flow
COMMAND SYNTAX
CPP leverages MQC to define traffic classification criteria and to specify configurable policy actions for the classified traffic. Traffic of interest must first be identified via class-maps, which are used to define packets for a particular traffic class. Once classified, enforceable policy actions for the identified traffic are created with policy-maps. The control-plane global command allows the CP service policies to be attached to control plane itself.
There are four steps required to configure CPP:
1. Define a packet classification criteria
router(config)#class-map
router(config-cmap)#match
2. Define a service policy
router(config)#policy-map
router(config-pmap)#class
router(config-pmap-c)# policeconform-action exceed-action
cir Committed information rate (Bits per second)
rate Specify policy rate in packets per second (pps)
3. Enter control-plane configuration mode
router(config)#control-plane
* When using the `match protocol' classification criteria, ARP is the only protocol supported. All other protocols need an ACE entry for classification purposes.
4. Apply QoS policy
service-policy {input output}
input Assign policy-map to the input of an interface
output** Assign policy-map to the output of an interface
...(略)
A router can be logically divided into four functional components or planes:
1. Data Plane
2. Management Plane
3. Control Plane
4. Services Plane
The vast majority of traffic travels through the router via the data plane; however, the Route Processor must handle certain packets, such as routing updates, keepalives, and network management. This is often referred to as control and management plane traffic.
Because the Route Processor is critical to network operations, any service disruption to the Route Processor or the control and management planes can result in business-impacting network outages. A DoS attack targeting the Route Processor, which can be perpetrated either inadvertently or maliciously, typically involves high rates of punted traffic that result in excessive CPU utilization on the Route Processor itself. This type of attack, which can be devastating to network stability and availability, may display the following symptoms:
• High Route Processor CPU utilization (near 100%)
• Loss of line protocol keepalives and routing protocol updates, leading to route flaps and major network transitions
• Interactive sessions via the Command Line Interface (CLI) are slow or completely unresponsive due to high CPU utilization
• Route Processor resource exhaustion-resources such as memory and buffers are unavailable for legitimate IP data packets
• Packet queue backup, which leads to indiscriminate drops (or drops due to lack of buffer resources) of other incoming packets
CPP addresses the need to protect the control and management planes, ensuring routing stability, availability, and packet delivery.
It uses a dedicated control-plane configuration via the Modular QoS CLI (MQC) to provide filtering and rate limiting capabilities for control plane packets.
Figure 1 illustrates the flow of packets from various interfaces. Packets destined to the control plane are subject to control plane policy checking, as depicted by the control plane services block.
Figure 1. Packet Flow
COMMAND SYNTAX
CPP leverages MQC to define traffic classification criteria and to specify configurable policy actions for the classified traffic. Traffic of interest must first be identified via class-maps, which are used to define packets for a particular traffic class. Once classified, enforceable policy actions for the identified traffic are created with policy-maps. The control-plane global command allows the CP service policies to be attached to control plane itself.
There are four steps required to configure CPP:
1. Define a packet classification criteria
router(config)#class-map
router(config-cmap)#match
2. Define a service policy
router(config)#policy-map
router(config-pmap)#class
router(config-pmap-c)# police
cir Committed information rate (Bits per second)
rate Specify policy rate in packets per second (pps)
3. Enter control-plane configuration mode
router(config)#control-plane
* When using the `match protocol' classification criteria, ARP is the only protocol supported. All other protocols need an ACE entry for classification purposes.
4. Apply QoS policy
service-policy {input output}
input Assign policy-map to the input of an interface
output** Assign policy-map to the output of an interface
...(略)
Comments