Control Plane Policing

Several security-related products, such as firewalls and an access-list in the router, help the administrator to protect moving through the router or the network. Control Plane Policing (CoPP) defines rules and policies to prevent attacks that are bound to the router. This is a Cisco—IOS feature that is specially designed for users to manage the flow of traffic that is handled by the RP (short for route processor). This helps to stop unnecessary traffic that was not processed by the route processor, thereby increasing security. CoPP sets policies to limit the attack caused directly to the router's interface using the IP address of the interface.

The primary responsibility of the Cisco IOS router is to forward IP packets to their destinations, it is also responsible for processing the traffic of the control and management planes. CoPP policies help administrators protect the control and management planes, and provide a stable routing table and packet delivery. If the attacker is trying to increase the amount of traffic on the management traffic, such as SSL/HTTPS, that can be limited and completely stopped with the help of CoPP policies.  

The following are the benefits of CoPP policies:

  • Helps to protect against the DoS attacks
  • Offers an efficient quality of service
  • Offers a mechanism for dropping non-processed TCP/UDP packets
  • Offers a dedicated control plane interface for traffic processing
  • Provides protection for the CPU to provide more resources for important jobs, such as routing

In CoPP, the traffic is first grouped into several class maps and then policies are applied to the traffic groups. The first rule in setting up the policy is to group the traffic types into appropriate class maps. For example, if all the SSH/SSL/HTTP/HTTPS management traffic can be put into one single class, then there might be issues in handling excess amounts of one type of traffic. Also, it would be very complex to place each type of traffic in its own class.

The best procedure for grouping is to configure the class maps to all traffic to be sent in the policy maps. Then, monitor the traffic to have a clear picture of different traffic types and add it into the appropriate class maps. The following are the different groups and class maps that can be created:

  • The fragmented or non-fragmented packets of known malicious programs
  • A class for all the routing protocols
  • A class for SSH and Telnet and other management protocols such as SNMP, FTP, and TFTP
  • A class for all the IP traffic
  • Network application traffic such as HSRP, IGMP, and DHCP
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.42.168