hardware- and software-based CPU rate limiters (for DoS protection), user-based rate limiting, hardware-based MAC learning, uRPF check in hardware, TCP intercept hardware acceleration, and most important, the Control Plane Policing (CoPP) feature. CoPP is also supported on all Cisco Integrated Services Routers (ISRs). One of the main advantages is that most of these integrated security features are based on hardware and can be enabled concurrently with no performance penalty.
The traffic managed by a device can be divided into three functional components or planes:
- Data plane
- Management plane
- Control plane
The route processor is critical to network operation. Therefore any service disruption or security compromise to the route processor, and hence the control and management planes, can result in network outages that impact regular operations. For example, a DoS attack targeting the route processor typically involves high bursty traffic resulting in excessive CPU
utilization on the route processor. Such attacks can be devastating to network stability and availability. The bulk of traffic managed by the route processor is handled by way of the control and management planes.
The CoPP feature is used to protect the aforementioned control and management planes; to ensure stability, reachability, and availability and to block unnecessary or DoS traffic. CoPP uses a dedicated control plane configuration through the modular QoS CLI (MQC) to provide filtering and rate limiting capabilities for the control plane packets.
As mentioned earlier, the CoPP feature is available on all major Cisco router series including ISR.
Perform the following steps to configure and apply the CoPP feature:
Step 1. Define a packet classification criterion. There are a number of ways to categorize the type of traffic—for example, by using an access list or protocol or IP precedence values.
Code View:
Hostname(config)# class-map {traffic_class_name}
Hostname(config-cmap)# match {access-list protocol ip prec ip dscp vlan}
Step 2. Define a service policy. Note that flow policing is the only valid option available (as of this writing) in the policy map for CoPP.
Code View:
Hostname(config-pmap)# policy-map {service_policy_name}
Hostname(config-pmap)# class {traffic_class_name}
Hostname(config-pmap-c)# police
Step 3. Enter control plane configuration mode using the control-plane global command. In this CP submode, the service policies are attached to the control plane.
Hostname(config)# control-plane
Step 4. Apply QoS policy configured to the control plane.
Hostname(config-cp)# service-policy {input output} {service_policy_name}