[c-nsp] control plane policing feature

Saku Ytti saku+cisco-nsp at ytti.fi
Sun Dec 25 03:42:10 EST 2005 

On (2005-12-21 14:45 -0300), Francisco Rivas wrote:

>  Thanks Rodney, I didn't realize that the control-policy was configured
> as OUTPUT on the example. Changed it to INPUT and that did the trick.

 Also before you deploy it be sure to ask TAC if it's actually supported
configuration or not. What made me quite annoyed was that CLNS match
is not supported, even though it works, effectively meaning, that 
CLNS will need to live in my trash class, that really killed my
motivation of implementing CoPP.
 And as always, CoPP is to protect you from attacks inside your AS#,
for attacks outside your AS# you have iACL and iPolicer, right :).

<holiday rant>
 I'd wish to merry christmas but I can't, as I'm not sure about
your religion and it would be considered inapropriate in some
part of the country (USA comes to mind). I want to extend their
politness a further and not wish you happy holidays, as you might
be actually working, then I could just wish you happy days, but
it might insult you, if your mother just died and you're terribly
depressed. So to be completely politally correct, I just
don't wish anything :>
</holiday rant>

>  But I have another doubt: the "drop" policy doesn't exist on 12.2
> train??? I've found it only on IOS 12.4 train.....  I've tried 12.0
> (31)S2, 12.2(25)S7 and 12.3(14)T5, and the drop policy doesn't exist.
> I'm missing something else here?? is the "drop" policy exclusive of the
> 12.4 train???
> 
> 
> 
> 
> Besides that, there are some bugs on the example on that URL. There is a
> defined policy map like this:
> 
> Router(config)# policy-map control-plane-out-policy
> ! Drop all traffic that matches the class "icmp-class."
> 
> 
> But after this, the example tries to apply this to the control-plane:
> 
> Router(config)# control-plane
> ! Define aggregate control plane service for the active route processor.
> Router(config-cp)# service-policy output control-plane-policy
> Router(config-cp)# exit
> 
> On the policy-map, the name is "control-plane-out-policy", but on the
> control-plane the service policy is configured as "control-plane-
> policy"... it should be "control-plane-out-policy", right??
> 
> Another thing: when I tried to copy/paste the example directly, I've got
> this on the access-list:
> 
> router7206(config)#access-list 141 deny icmp host 3.3.3.0 0.0.0.255 any
> port-unreachable ?
> % Unrecognized command
> 
> The "host" there is wrong, it should be
> 
> router7206(config)#access-list 141 deny icmp 3.3.3.0 0.0.0.255 any port-
> unreachable
> 
> 
> 
> 
> 
> Well, I've configured this on my lab router (running 12.4(3b):
> 
> 
> !
> class-map match-all icmp-class
>  match access-group 141
> !
> !
> policy-map control-plane-out-policy
>  class icmp-class
>    drop
> !
> access-list 141 deny   icmp 192.168.1.0 0.0.0.255 any echo
> access-list 141 deny   icmp 192.168.1.0 0.0.0.255 any echo-reply
> access-list 141 permit icmp any any echo
> access-list 141 permit icmp any any echo-reply
> 
> !
> control-plane
>  service-policy output control-plane-out-policy
> !
> 
> 
> This should permit the echo and echo-reply directed to any IP on any
> interface on the router, from 192.168.1.0/24, right???? Well, this isn't
> working here. All the packets are being dropped, from any source to any
> destination on the router. When I look at the ACL 141, I can see that
> all the packets are being matched with the last permit:
> 
> router7206#sh ip access-lists 141
> Extended IP access list 141
>     10 deny icmp 192.168.1.0 0.0.0.255 any echo
>     20 deny icmp 192.168.1.0 0.0.0.255 any echo-reply
>     30 permit icmp any any echo
>     40 permit icmp any any echo-reply (1076 matches)
> router7206#
> 
> 
> Then, when I added to the ACL the net 192.168.2.0/24 (the net used on
> the router's interface), the ACL matched this:
> 
>  router7206#sh ip access-lists 141
> Extended IP access list 141
>     10 deny icmp 192.168.1.0 0.0.0.255 any echo
>     20 deny icmp 192.168.1.0 0.0.0.255 any echo-reply
>     30 deny icmp 192.168.2.0 0.0.0.255 any echo
>     40 deny icmp 192.168.2.0 0.0.0.255 any echo-reply (323 matches)
>     50 permit icmp any any echo
>     60 permit icmp any any echo-reply
> router7206#
> 
> 
> This works because, as you said, the policy is working as OUTPUT (on
> this particular example), so the ACL is filtering the packet generated
> by the control-plane (the router itself) in response to the packets
> being send by the nets configured on the ACL. If I put the service
> policy on the control-plane as INPUT, it works as expected (I've tested
> this myself). If I'm right, the docs (particulary this example on that
> URL) is wrong... 
> 
> To stay according to the explanation of the example, "The following
> example shows how to configure trusted networks with source addresses
> 3.3.3.0 and 4.4.4.0 to receive Internet Control Message Protocol (ICMP)
> port-unreachable responses without constraint, while allowing all
> remaining ICMP port-unreachable to be dropped", the example should be
> something like this (notice that the ACL source-dest is reversed,
> because we need to match the outgoing traffic, not the incoming -
> because we are using an OUTPUT policy from the router to the nets):
> 
> 
> ! Allow 3.3.3.0 trusted network traffic.
> 
> Router(config)# access-list 141 deny icmp any 3.3.3.0 0.0.0.255 port-
> unreachable 
> 
> ! Allow 4.4.4.0 trusted network traffic.
> 
> Router(config)# access-list 141 deny icmp any 4.4.4.0 0.0.0.255 port-
> unreachable 
> 
> ! Rate limit all other ICMP traffic. 
> 
> Router(config)# access-list 141 permit icmp any any port-unreachable
> Router(config)# class-map icmp-class 
> Router(config-cmap)# match access-group 141
> Router(config-cmap)# exit
> Router(config)# policy-map control-plane-policy
> 
> ! Drop all traffic that matches the class "icmp-class."
> 
> Router(config-pmap)# class icmp-class
> Router(config-pmap-c)# drop
> Router(config-pmap-c)# exit
> Router(config-pmap)# exit
> Router(config)# control-plane
> 
> ! Define aggregate control plane service for the active route processor.
> 
> Router(config-cp)# service-policy output control-plane-policy
> Router(config-cp)# exit
> 
> 
> I'm right, or not??? :)
> 
> 
> 
> 
> regards,
> 
> 
> Francisco Rivas C.
> 
> 
> 
> 
> 
> On Wed, 2005-12-21 at 08:52 -0500, Rodney Dunn wrote:
> > I can't read your email because it didn't line wrap.
> > 
> > But from what I can gather is you want to allow icmp
> > from certain networks and drop the rest.
> > 
> > So you ACL should deny icmp coming from the particular
> > networks and then permit all other icmp traffic.
> > 
> > Then you reference the class-map *inbound* and set
> > the policy to drop.
> > 
> > That makes it such that all traffic that is *permitted* will
> > be dropped which is sorta reverse logic in that you denied
> > the traffic you wanted to allow through in the ACL.
> > 
> > Rodney
> > 
> > On Tue, Dec 20, 2005 at 03:23:47PM -0300, Francisco Rivas wrote:
> > > Hi all,
> > > 
> > > I'm testing the control plane policing on a Cisco 7206
> > > (http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html)
> > > and I've found certain things that don't fit, and I hope that someone
> > > here can give me a hand here. In the URL, there is an example that shows
> > > how to configure a couple of trusted networks to reach the router thru
> > > ICMP, and all the remaining ICMP traffic should be dropped. The example
> > > goes like this:
> > > 
> > > ! Allow 3.3.3.0 trusted network traffic.
> > > Router(config)# access-list 141 deny icmp host 3.3.3.0 0.0.0.255 any
> > > port-unreachable ! Allow 4.4.4.0 trusted network traffic.
> > > Router(config)# access-list 141 deny icmp host 4.4.4.0 0.0.0.255 any
> > > port-unreachable ! Rate limit all other ICMP traffic. Router(config)#
> > > access-list 141 permit icmp any any port-unreachable Router(config)#
> > > class-map icmp-class Router(config-cmap)# match access-group 141
> > > Router(config-cmap)# exit Router(config)# policy-map
> > > control-plane-out-policy ! Drop all traffic that matches the class
> > > "icmp-class." Router(config-pmap)# class icmp-class
> > > Router(config-pmap-c)# drop Router(config-pmap-c)# exit
> > > Router(config-pmap)# exit Router(config)# control-plane ! Define
> > > aggregate control plane service for the active route processor.
> > > Router(config-cp)# service-policy output control-plane-policy
> > > Router(config-cp)# exit
> > > 
> > > 
> > > First of all, I've tried some IOS versions, and the only one that I've found
> > > with the "drop" feature inside the class (in this case, "class icmp-class")
> > > is 12.4(3b) (service provider). I've tried 12.0(31)S2, 12.2(25)S7 and
> > > 12.3(14)T5, and they didn't have the "drop" command. I'm running
> > > 12.2(18)S4 on a 7206vxr with NPE-G1, and I want to stay on the 12.2
> > > train for now (by the way, 12.2(18)S4 is giving me some memory issues
> > > right now.. soon I'll write another mail about that). Is the "drop" command exclusive
> > > to the 12.4 train???
> > > Another thing, in the example, they want to ALLOW the ICMP traffic from both networks,
> > > so why they are DENIED on the config???? (access-list 141 deny icmp ...)
> > > I've tried this exact example (changing the ip addresses only), and
> > > obviously they didn't work. I've reversed the access-list (permit for
> > > the networks, then DENY any), and it worked as I expected. Is this a bug
> > > on the example, or something changed on 12.4 train??
> > > 
> > > And, for last, anyone has real-world experience with this control plane policing feature??
> > > does it works as expected???? any word about this will be very appreciated :)
> > > 
> > > Thanks a lot for your help!!!
> > > 
> > > 
> > > Regards,
> > > 
> > > 
> > > -- 
> > > Francisco Rivas Catalan
> > > Senior Network Engineer
> > > IFX Networks
> > > (56) 2 3744574
> > > francisco.rivas at ifxnw.cl
> > > 
> > > 
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-- 
  ++ytti

More information about the cisco-nsp mailing list