Control Plane and Management Plane Policing

CoPP is by default disabled for 6500 platform and by default enabled for Nexus7000 platforms. Figure below depicts a Cisco 6500, its Multilayer Switching Feature Card (MSFC) that contains the L2 Switch Processor (SP) and L3 Route Processor (RP), and the mechanisms available on the Cisco 6500 to protect the Switch Processor and Route Processor against DoS attacks. Specifically, the Cisco 6500 supports a two level defense with control plane policing (CoPP) and special case CPU hardware rate limiters (HWRL).

The CoPP feature applies to traffic going to the Route Processor control plane interface.

CoPP is applied in hardware on a per forwarding engine basis at the Policy Feature Card (PFC) and Distributed Forwarding Card (DFC).

The Special Cases CPU Hardware limiters are platform dependant rate limiters applied in hardware to traffic going to the Switch Processor or Route Processor.

Figure 3.1-CONTROL PLANE POLICING

A router can be logically divided into three functional components or planes:

1. Data Plane

2. Management Plane 3. Control Plane

Figure 3.2-LOGICAL PLANES OF ROUTER

The vast majority of traffic generally travels through the router via the data plane;

however, the Route Processor must handle certain packets, such as routing updates, keepalives, and network management. This traffic is often referred to as control and management plane traffic.

The Route Processor is critical to network operation. Any service disruption to the route processor, and hence the control and management planes, can lead to business-impacting network outages. A Denial of Service (DoS) attack targeting the route processor, which can be perpetrated either inadvertently or maliciously, typically involves high rates of traffic destined to the Route Processor itself that result in excessive CPU utilization. Such an attack can be devastating to network stability and availability and may include the following symptoms:

• High Route Processor CPU utilization (near 100%)

• Loss of line protocol keepalives and routing protocol updates, leading to route flaps and major network transitions

• Interactive sessions via the Command Line Interface (CLI) are slow or completely unresponsive due to high CPU utilization

• Route processor resource exhaustion: resources such as memory and buffers are unavailable for legitimate IP data packets

• Packet queues back up, leading to indiscriminate drops (or drops due to lack of buffer resources) of other incoming packets

• CoPP addresses the need to protect the control and management planes, ultimately ensuring routing stability, reachability, and packet delivery. It uses a dedicated control-plane configuration via the IOS Modular Quality of Service CLI (MQC) to provide filtering and rate limiting capabilities for control plane packets.

3.5.1 Developing a CoPP Policy

Prior to developing the actual CoPP policy, required traffic must be identified and separated into different classes. One recommended methodology involves categorizing traffic into distinct groups based on relative importance. In the example discussed in this document, traffic is grouped into five different classes. The actual number of classes needed might differ and should be selected based on local requirements and security policies. Note that these 'traffic classes' are defined with regard to the CPU/control plane.

1. Critical

• Traffic that is crucial to the operation of the router and the network

• Examples: routing protocols like OSPF Protocol

• Note that some sites might choose to classify other traffic as critical when appropriate.

1. Important

• Necessary, frequently used traffic that is required during day-to-day operations

• Examples: traffic used for remote network access and management (i.e.:

telnet, Secure Shell (SSH), Network Time Protocol (NTP) and Simple Network Management Protocol (SNMP)

1. Normal

• Traffic that is expected but not essential to network operation

• Normal traffic used to be particularly hard to address when designing control-plane protection schemes, as it should be permitted but should never pose a risk to the router. With CoPP, this traffic can be permitted but limited to a low rate.

• Examples: ICMP echo request (ping) 1. Undesirable

• Explicitly identifies “bad” or malicious traffic that should be dropped and denied access to the Route Processor

• Particularly useful when known traffic destined to the router should always be denied and not placed into a default category. Explicitly denying traffic allows the end-user to collect rough statistics on this traffic via show commands and therefore offers some insight into the rate of denied traffic.

Default

• All remaining traffic destined to the Route Processor that has not been identified

• With a default classification in place, statistics can be monitored to determine the rate of otherwise unidentified traffic destined to the control-plane. Once this traffic is identified, further analysis can be performed to classify it and if

needed, the other CoPP policy entries can be updated to account for this traffic

3.5.2 COPP on NX-OS

The NX-OS device provides control plane policing to prevent denial-of-service (DoS) attacks from impacting performance. CoPP classifies these packets to different classes and provides a rate limiting mechanism to individually control the rate at which the supervisor module receives these packets.

CoPP is configured in the default VDC but applies to all VDCs in the box.

The supervisor module divides the traffic that it manages into three functional components or planes:

➢ Data plane—Handles all the data traffic. The basic functionality of a NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.

➢ Control plane—Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.

➢ Management plane—Runs the components meant for NX-OS device

management purposes such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP

The supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption or attacks to the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire NX-OS device. Attacks on the supervisor module can be of various types such as denial-of-service (DoS) that generates IP traffic streams to the control plane at a very high rate.

These attacks force the control plane to spend a large amount of time in handling these packets and prevents the control plane from processing genuine traffic.

These attacks can impact the device performance and have the following negative effects:

• High supervisor CPU utilization.

• Loss of line protocol keep-alive messages and routing protocol updates, which lead to route flaps and major network outages.

• Interactive sessions using the CLI become slow or completely unresponsive due to high CPU utilization.

• Resources, such as the memory and buffers, might be unavailable for legitimate IP data packets.

• Packet queues fill up, which can cause indiscriminate packet drops.

3.5.3 CoPP Risk Assessment

Care must be taken to ensure that the CoPP policy does not filter critical traffic such as routing protocols or interactive access to the routers. Filtering this traffic could prevent remote access to the router, thus requiring a console connection