Cisco Control Plane Policing

On By karsteni

This Dokument shows how to protect a Cisco IOS 12.3(T) Router with Control-Plane-Policing (CPP) against high load caused by an attack.

The Situation
Our router (a Cisco 1841) is under a “heavy” icmp-attack:

  • three “attacks” from PCs:
    • 
C:Documents and SettingsAdministrator>ping -t -l 17500 10.0.2.2
Reply from 10.0.2.2: bytes=17500 time<10ms TTL=255
Reply from 10.0.2.2: bytes=17500 time<10ms TTL=255
Reply from 10.0.2.2: bytes=17500 time<10ms TTL=255
  • three “attacks” from routers (Cisco 1841, one of them is the management-station):
    • 
R1#ping 10.0.2.2 size 1000 repeat 10000

Type escape sequence to abort.
Sending 10000, 1000-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The Result
The Router has a relative high load:


Router#show processes cpu sorted 1min
CPU utilization for five seconds: 64%/29%; one minute: 34%; five minutes: 22%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  60       84384    242214        348 35.03% 18.76% 11.92%   0 IP Input

The Solution (one of many possible)
Configuration of Control-Plane-Policing:

  • The forwarding-plane should not be affected
  • ICMPs from our management-station (10.0.2.11) should never be policed
  • All other ICMP to the router should be policed to 16000 Bit/s

First we define the traffic to police:

  • deny: don’t care of traffic for policing
  • permit: care of traffic for policing

Router(config)#ip access-list extended icmp-traffic
Router(config-ext-nacl)#remark Host 10.0.2.11 is the Management-Station
Router(config-ext-nacl)#deny icmp host 10.0.2.11 any
Router(config-ext-nacl)#permit icmp any any

Then, the class-map and policy-map is defined:


Router(config)#class-map icmp-class
Router(config-cmap)#match access-group name icmp-traffic
Router(config-cmap)#exit
Router(config)#policy-map cpp
Router(config-pmap)#class icmp-class
Router(config-pmap-c)#police 16000 conform-action transmit exceed-action drop
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#

Last, the policy-map is applied to the control-plane:


Router(config)# control-plane
Router(config-cp)# service-policy input cpp

The complete configuration for this example:


class-map match-all icmp-class
 match access-group name icmp-traffic
!
policy-map cpp
 class icmp-class
   police 16000 conform-action transmit  exceed-action drop
!
ip access-list extended icmp-traffic
 remark Host 10.0.2.11 is the Management-Station
 deny   icmp host 10.0.2.11 any
 permit icmp any any
!
control-plane
 service-policy input cpp

The (new) Result
The two “attacking” Routers are policed:


R4#ping 10.0.2.2 size 1000 repeat 10000

Type escape sequence to abort.
Sending 10000, 1000-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!

R3#ping 10.0.2.2 size 1000 repeat 1000000

Type escape sequence to abort.
Sending 1000000, 1000-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
!.!.!.!.!.!.!.!.!..!.!.!..!.!.!..!.!.!..!.!.!

The Management-Station can still ping:


R1#ping 10.0.2.2 size 1000 repeat 10000

Type escape sequence to abort.
Sending 1000000, 1000-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

And the load of the attacked router is reduced again (without the management-station pinging):


Router#show processes cpu sorted 1min
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 1%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  60      152940    436711        350  0.07%  0.40%  0.55%   0 IP Input

To verify that the policy is working:


Router#show policy-map control-plane
 Control Plane

  Service-policy input: cpp

    Class-map: icmp-class (match-all)
      13234 packets, 11814448 bytes
      5 minute offered rate 205000 bps, drop rate 193000 bps
      Match: access-group name icmp-traffic
      police:
          cir 16000 bps, bc 1500 bytes
        conformed 5003 packets, 1698758 bytes; actions:
          transmit
        exceeded 8231 packets, 10115690 bytes; actions:
          drop
        conformed 16000 bps, exceed 193000 bps

    Class-map: class-default (match-any)
      216824 packets, 218560940 bytes
      5 minute offered rate 43000 bps, drop rate 0 bps
      Match: any

What to do next?
At the moment only ICMP is policed. But what kind of traffic do we expect? Also think about:

  • Routing-Protocols
  • Management-Protocols
  • All the rest

One Reply to “Cisco Control Plane Policing”

  1. Pingback: Cisco IOS: Der Paketfilter der Control-Plane-Protection : Security-Planet.de

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.