Control Plane Policing (CoPP) protects the control plane, which ensures network stability, reachability, and packet delivery.
This feature allows specification of parameters, for each protocol that can reach the control processor to be rate-limited
using a policer. The policing is applied to all traffic destined to any of the IP addresses of the router or Layer 3 switch.
A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the
device interfaces.
The Cisco ACI Leaf/Spine NX-OS provides CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be
perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module
of an ACI Leaf/Spine CPU or CPU itself.
The supervisor module of ACI Leaf/Spine switches divides the traffic that it manages into two functional components or planes:
-
Data plane—Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to
another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by
the data plane.
-
Control plane—Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest
Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called
control plane packets.
The ACI Leaf/Spine supervisor module has a control plane and is critical to the operation of the network. Any disruption or
attacks to the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor
module could overload and slow down the performance of the entire Cisco ACI fabric. Another example is a DoS attack on the
ACI Leaf/Spine supervisor module that could generate IP traffic streams to the control plane at a very high rate, forcing
the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing
genuine traffic.
Examples of DoS attacks are as follows:
These attacks can impact the device performance and have the following negative effects:
-
Reduced service quality (such as poor voice, video, or critical applications traffic)
-
High route processor or switch processor CPU utilization
-
Route flaps due to loss of routing protocol updates or keepalives
-
Processor resource exhaustion, such as the memory and buffers
-
Indiscriminate drops of incoming packets
Note |
ACI Leaf/Spines are by default protected by CoPP with default settings. This feature allows for tuning the parameters on a
group of nodes based on customer needs.
|
Control Plane Protection
To protect the control plane, the Cisco NX-OS running on ACI Leaf/Spines segregates different packets destined for the control
plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets, which ensures
that the supervisor module is not overwhelmed.
Control Plane Packet Types:
Different types of packets can reach the control plane:
-
Receive Packets—Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router
MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and
keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are
used by a router.
-
Exception Packets—Packets that need special handling by the supervisor module. For example, if a destination address is not present in the
Forwarding Information Base (FIB) and results in a miss, the supervisor module sends an ICMP unreachable packet back to the
sender. Another example is a packet with IP options set.
-
Redirect Packets—Packets that are redirected to the supervisor module. Features such as Dynamic Host Configuration Protocol (DHCP) snooping
or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.
-
Glean Packets—If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet
and sends an ARP request to the host.
All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco ACI Fabric. CoPP
classifies these packets to different classes and provides a mechanism to individually control the rate at which the ACI Leaf/Spine
supervisor module receives these packets.
Classification for CoPP:
For effective protection, the ACI Leaf/Spine NX-OS classifies the packets that reach the supervisor modules to allow you to
apply different rate controlling policies based on the type of the packet. For example, you might want to be less strict with
a protocol packet such as Hello messages but more strict with a packet that is sent to the supervisor module because the IP
option is set.
Rate Controlling Mechanisms:
Once the packets are classified, the ACI Leaf/Spine NX-OS has different mechanisms to control the rate at which packets arrive
at the supervisor module.
You can configure the following parameters for policing:
-
Committed information rate (CIR)—Desired bandwidth, specified as a bit rate or a percentage of the link rate.
-
Committed burst (BC)—Size of a traffic burst that can exceed the CIR within a given unit of time and not impact scheduling.
Default Policing Policies:
When the Cisco ACI Leaf/Spine is bootup, the platform setup pre-defined CoPP parameters for different protocols are based
on the tests done by Cisco.