- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring Virtual Switching Systems
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring RPR
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Engine 7L-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring EVC-Lite
- Configuring SmartPort Macros
- Configuring Cisco IOS Auto Smartport Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering,
- Configuring IPv6 Multicast Listener Discovery Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring Cisco Discovery Protocol
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirectional Forwarding Detection
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Port Security
- Configuring Auto Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Network Security with ACLs
- Support for IPv6
- Configuring Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring callhome
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- ROM Monitor
- Acronyms and Abbreviations
- Catalyst 4500 Series Switch SW Configuration Guide Index, IOS XE 3.6.0E and IOS 15.2(2)E
- Configuring Control Plane Policing
Configuring Control Plane Policing and Layer 2 Control Packet QoS
Note CoPP is supported on the following: Supervisor 6-E and Catalyst 4900M starting with Cisco IOS Release 12.2(50)SG; Supervisor 6L-E starting with Cisco IOS Release 12.2(52)X0; Catalyst 4948-E starting with Cisco IOS Release 12.2(54)X0; Supervisor Engine 7-E starting with Cisco IOS XE 3.1.0SG; Supervisor Engine 7L-E starting with Cisco IOS XE 3.2.0XO; Supervisor Engine 8-E starting with Cisco IOS XE 3.3.0SG.
This chapter contains information on how to protect your Catalyst 4500 series switch using control plane policing (CoPP). The information covered in this chapter is unique to the Catalyst 4500 series switches, and it supplements the network security information and procedures in Chapter54, “Configuring Network Security with ACLs” This information also supplements the network security information and procedures in these publications:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html
This chapter includes the following major sections:
- Configuring Control Plane Policing
- Monitoring CoPP
- Configuring Layer 2 Control Packet QoS
- Policing IPv6 Control Traffic
Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html
If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
Configuring Control Plane Policing
This section includes these topics:
- About Control Plane Policing
- General Guidelines for Control Plane Policing
- Default Configuration
- Configuring CoPP for Control Plane Traffic
- Configuring CoPP for Data Plane and Management Plane Traffic
- Control Plane Policing Configuration Guidelines and Restrictions
- Policing IPv6 Control Traffic
About Control Plane Policing
Note Catalyst 4500 switch support hardware CoPP for all IPv6 First Hop Security Features (DHCPv6 Inspection/Guard, DHCPv6 remote-ID option for Layer 2, IPv6 full RA Guard,...) However, due to inability of VFE to match ICMP v6 packets for policing in the outward direction, hardware CoPP does not work on Supervisor 6-E, Supervisor 6L-E, Catalyst 4900M, and Catalyst 4948-E
The control plane policing (CoPP) feature increases security on the Catalyst 4500 series switch by protecting the CPU from unnecessary or DoS traffic and giving priority to important control plane and management traffic. The classification TCAM and QoS policers provide CoPP hardware support.
Traffic managed by the CPU is divided into three functional components or planes :
You can use CoPP to protect most of CPU-bound traffic and to ensure routing stability, reachability, and packet delivery. Most importantly, you can use CoPP to protect the CPU from a DoS attack.
By default, you receive a list of predefined ACLs matching a selected set of Layer 2 and Layer 3 control plane packets. You can further define your preferred policing parameters for each of these packets and modify the matching criteria of these ACLs.
The following table lists the predefined ACLs.
|
|
---|---|
For the data and management plane traffic, you can define your own ACLs to match the traffic class that you want to police.
CoPP uses MQC to define traffic classification criteria and to specify the configurable policy actions for the classified traffic. MQC uses class maps to define packets for a particular traffic class. After you have classified the traffic, you can create policy maps to enforce policy actions for the identified traffic. The control-plane global configuration command allows you to directly attach a CoPP service policy to the control plane.
The policy map system-cpp-policy must contain the predefined class maps in the predefined order at the beginning of the policy map. The best way to create system-cpp-policy policy map is by using the global macro system-cpp.
The system-cpp-policy policy map contains the predefined class maps for the control plane traffic. The names of all system-defined CoPP class maps and their matching ACLs contain the prefix system-cpp-. By default, no action is specified for each traffic class. You can define your own class maps matching CPU-bound data plane and management plane traffic. You can also add your defined class maps to system-cpp-policy.
General Guidelines for Control Plane Policing
Guidelines for control plane policing include the following:
- If a given traffic class does not have a designated class map, and you want to protect this traffic, we recommend that you:
– Create specific class maps for such unknown traffic packets and add the user-defined class maps to system-cpp-policy.
– Or, rate-limit such traffic to prevent CPU hogging.
For instance, in a VSS setup, if you have defined class map cpp-vsl-mgmt for VSL management traffic (exclusively Layer 2 packets), do not use the cpp-vsl-mgmt class map to protect supervisor keep-alive traffic (IP packets), or BFD packets. This can cause VSL link failures. Instead, create separate class maps, such as cpp-ip for supervisor keep-alive traffic, and cpp-bfd for BFD packets. VSL link failures may also ensue if you enter class-default as the class name for traffic that does not have a designated class map.
Although source MAC learning on a Catalyst 4500 series switch is performed in software, learning control packets' source MAC addresses (for example, IEEE BPDU, CDP, SSTP BPDU, GARP/) is not allowed. Once you configure port security on a port where you expect a high rate of potentially unanticipated control packets, the system generates a copy of the packet to the CPU (until the source address is learned), instead of forward it.
The current architecture of the Catalyst 4500 supervisor engine does not allow you to apply policing on the copy of packets sent to the CPU. You can only apply policing on packets that are forwarded to the CPU. Copies of packets are sent to the CPU at the same rate as control packets, and port security is not triggered because learning from control packets is not allowed. Policing is not applied because the packet copy, not the original, is sent to the CPU.
- ARP policing is not supported on either the classic series supervisor engines or fixed configuration switches. It is supported on the Catalyst 4900M and 4948E switches, Supervisor Engine 6-E, and Supervisor Engine 6L-E (use “match protocol arp” to classify).
- Only ingress CoPP is supported. So only input keyword is supported in control-plane related CLIs.
- Use ACLs and class-maps to identify data plane and management plane traffic that are handled by CPU.
- The only action supported in CoPP policy-map is police.
- Do not use the log keyword in the CoPP policy ACLs.
Default Configuration
Configuring CoPP for Control Plane Traffic
To configure CoPP for control plane traffic, perform this task:
The following example shows how to police CDP packets:
Configuring CoPP for Data Plane and Management Plane Traffic
To configure CoPP for data plane and management plane traffic, perform this task:
The following example shows how to configure trusted hosts with source addresses 10.1.1.1 and 10.1.1.2 to forward Telnet packets to the control plane without constraint, while allowing all remaining Telnet packets to be policed at the specific rate. This example assumes that global QoS is enabled and that the system-cpp-policy policy map was created.
Control Plane Policing Configuration Guidelines and Restrictions
When using (or configuring) control plane policing, consider these guidelines and restrictions:
All supervisor engines
When configuring CoPP, consider these guidelines:
- Only ingress CoPP is supported. Only the input keyword is supported in control plane-related CLIs.
- Control plane traffic can be policed only through CoPP. Traffic cannot be policed at the input interface or VLAN even though a policy map containing the control plane traffic is accepted when the policy map is attached to an interface or VLAN.
- Use ACLs and class maps to identify data plane and management plane traffic that are handled by the CPU. U1ser defined class maps should be added to the system-cpp-policy policy map for CoPP.
- The default system-cpp-policy policy map does not define actions for the system-defined class maps (no policing).
- The only action supported in system-cpp-policy is police.
- You can use both MAC and IP ACLs to define data plane and management plane traffic classes. However, if a packet also matches a predefined ACL for the control plane traffic, a police (or no police) action will operate on the control plane class because the control plane classes appear above the user-defined classes in the service policy.
- The exceeding action policed-dscp-transmit is not supported for CoPP.
- Do not use the log keyword in CoPP policy ACLs. Instead, if you want to determine if rogue packets are arriving, view the output of the show policy-map interface command or use the span feature.
Do not apply to Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E
Monitoring CoPP
You can enter the show policy-map control-plane command to develop site-specific policies, to monitor statistics for the control plane policy, and to troubleshoot CoPP. This command displays dynamic information about the actual policy applied, including rate information and the number of bytes (and packets) that conformed or exceeded the configured policies both in hardware and in software.
The output of the show policy-map control-plane command is similar to the following:
To clear the counters on the control plane, enter the clear control-plane * command:
To display all the CoPP access list information, enter the show access-lists command:
To display one CoPP access list, enter the show access-lists system-cpp-cdp command:
Configuring Layer 2 Control Packet QoS
Layer 2 control packet QoS enables you to police control packets arriving on a physical port or LAN.
This section includes these topics:
- Understanding Layer 2 Control Packet QoS
- Default Configuration
- Enabling Layer 2 Control Packet QoS
- Disabling Layer 2 Control Packet QoS
- Layer 2 Control Packet QoS Configuration Examples
- Layer 2 Control Packet QoS Guidelines and Restrictions
Understanding Layer 2 Control Packet QoS
You might want to police incoming Layer 2 control packets such as STP, CDP, VTP, SSTP, BPDU, EAPOL and LLDP on a specific port before the packets reach CPU. This could serve as a first line of defense before aggregate traffic is subjected to policing (through CoPP). By default, policers cannot be applied to Layer 2 control packets in the input direction. This prevents users from inadvertently policing or dropping critical Layer 2 control packets.
While this approach protects a user who is wrongly policing control packets, it introduces a more serious problem. If a flood of Layer 2 control packets is received on any of the switch interfaces at a very high rate due to a DoS attack or to a loop introduced in the customer network because of misconfiguration, CPU utilization can increase quickly. This can have adverse impacts such as loss of protocol keep-alives and routing protocol updates. The Layer 2 control packet QoS feature allows you to police Layer 2 control packets at the port, VLAN, or port- VLAN level in the input direction.
Default Configuration
Enabling Layer 2 Control Packet QoS
To enable Layer 2 control packet QoS, perform this task:
Table 51-1 lists the types of packets impacted by this feature.
|
|
---|---|
The following example shows how to enable QoS for CDP packets and to apply a policer to CDP packets arriving on interface gi3/1 and VLAN 1:
Disabling Layer 2 Control Packet QoS
The no qos control-packet command disables QoS for all packet types.
The following example shows how to disable QoS for CDP packets after QoS is enabled for all packet types:
Note When all control packets (CDP/VTP, bpdu-range, SSTP, LLDP, and protocol-tunnel), are enabled only qos control-packets is nevgen’d. Individual protocol names mentioned in the previous output are nvegen’d only if the some of the control packets are configured.
Note When you unconfigure this feature for a specified protocol type, the user-configured policies handling that protocol type immediately become ineffective. To save TCAM resources, remove the policies as well as MACLs and class maps (auto-generated or user-defined).
Note TCAM resources are not consumed when the interface is in a down state.
Table 51-2 displays the auto-generated MACLs and class maps that are created when you enable the feature on the corresponding packet type.
Layer 2 Control Packet QoS Configuration Examples
You can use CoPP and Layer 2 control packet QoS together to prevent DoS attacks to the CPU. In the following example, BPDUs arriving on interface gi3/1, VLAN 1 and VLAN 2 are limited to 32 Kbps and 34 Kbps, respectively. Aggregate BPDU traffic to CPU then is further rate-limited to 50 Kbps using CoPP.
Configuring Layer 2 Control Packet QoS
Configuring Control Plane Policy
Note To reduce the consumption of policer resources, you can also use named-aggregate policers applied to a group of ports or VLANs.
Note Do not modify class maps and MACLs that are auto-generated by the system. This action can cause unexpected behavior when the switch reloads or when the running configuration is updated from a file.
To refine or modify system-generated class maps or MACLs, apply user-defined class maps and MACLs.
Note User defined class map names must begin with the prefix system-control-packet. If not, certain hardware (Catalyst 4924, Catalyst 4948, Catalyst 4948-10GE, Supervisor Engine II-Plus, Supervisor Engine II+10GE, Supervisor Engine V, and Supervisor Engine V-10GE) might not perform the configured QoS action.
For example, the following are valid user-defined class map names to police Layer 2 control packets because they begin with the prefix system-control-packet:
No such restrictions exist on the names you can use for user-defined MACLs (access-groups).
The following example shows how to create user-defined MACLs and class maps to identify EAPOL and BPDU packets. Because the auto-generated class map system-control-packet-bpdu range matches three packet types (BPDU, EAPOL, and OAM), policing this traffic class affects all three packet types. To police BPDU and EAPOL packets at different rates, you can set user-defined MACL and class map as follows:
Layer 2 Control Packet QoS Guidelines and Restrictions
When using (or configuring) Layer 2 control packet QoS, consider these guidelines and restrictions:
- When you enable Layer 2 control packet QoS, it applies to all ports on the switch. If Layer 2 control packets are not explicitly classified in the policy attached to port or VLAN, the actions in class-default will be applied as per normal QoS rules.
- Place classifiers that match control packets at the beginning of a policy map followed by other traffic classes, ensuring that Layer 2 control packets are not subjected to inadvertent QoS actions.
- The application of default class (class-default) actions depends on the type of supervisor engine:
– Supervisor Engine V-10GE with NetFlow support—Actions associated with class-default are never applied on unmatched control packets; a default permit action is applied. Only actions associated with class maps that begin with system-control-packet are applied on control packets.
– All other supervisor engines—Actions associated with class-default are applied on unmatched control packets.
Policing IPv6 Control Traffic
On Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E, IPv6 control packets such as OSPF, PIM and MLD can be policed on a physical port, VLAN, or control plane by configuring IPv6 ACLs to classify such traffic and then applying a QoS policy to police such traffic.
The following examples show how to police OSPFv6, PIMv6 and MLD control traffic received on a port.
This example shows how to configure a traffic class to identify OSPFv6 control packets by its destination IP v6 address:
The following example shows how to configure a traffic class to identify PIMv6 control packets by its destination IPv6 address:
The following example shows how to configure a traffic class to identify MLD protocol control packets:
The following example shows how to configure a QoS policy to police OSPFv6, PIMv6 and MLD traffic classes:
The following example shows how to policy to interface gi2/2 in the input direction: