Control Plane Policing Using ACL
Control Plane Policing (CoPP) is enhanced with Access Control List (ACL) support, enabling more precise classification and management of CPU-bound traffic. This update introduces ACL-based filtering for IPv4, improving security, optimizing traffic handling, and ensuring more efficient control-plane traffic processing.
Feature Characteristics
-
Enhanced Traffic Classification: Supports ACL-based filtering for IPv4 traffic.
-
Configurable Actions: Allows packet filtering with actions such as permit, deny, and policing.
-
Granular Control: Introduces new options under hardware profiles, access lists, class maps, and policy maps to customize CoPP settings.
-
Improved Policy
A set of rules determining which actions are permitted or denied for a specific user role. Management:Enables the application of CoPP policies at the system level to optimize resource management. ACLs are applied to all packets destined for the CPU from ASIC Application Specific Integrated Circuit hardware, including packets directed to the device’s IP address, those trapped due to exceptions, and packets received on an InBand VRF Virtual Routing and Forwarding interface.
Benefits
-
Stronger Security: Reduces the risk of DoS attacks by filtering and limiting excessive control-plane traffic.
-
Better Traffic Management: Offers precise control over different types of traffic reaching the CPU, improving overall system efficiency.
-
Flexible Configuration: Provides users with more options to define and manage traffic policies.
-
Increased Performance: Ensures network devices function optimally by reducing unnecessary load on the control plane.
Configuration
Topology
Figure 53. Simple Configuration of CoPP ACL
CoPP IPv4 ACL Configuration
Follow these steps to configure CoPP on the device:
| 1. | Enter Configuration Mode: |
# configure terminal| 2. | Create an IP access list named acl for CoPP. |
(config)# ip copp access-list acl| 3. | Define ACEs to permit IP packets from 20.20.20.1 to any destination and to deny all other IP packets. |
(config-ip-copp-acl)# permit any 20.20.20.1 any
(config-ip-copp-acl)# deny any any any| 4. | Exit access list configuration mode. |
(config-ip-copp-acl)# exit| 5. | Enable QoS, statistics monitoring, and commit the changes. |
(config)# qos enable
(config)# qos statistics
(config)# commit| 6. | Create a class-map named c1 for CoPP. |
(config)# class-map type copp match-any c1| 7. | Associate the previously created acl with the class-map, and then exit. |
(config-cmap-copp)# match access-group acl
(config-cmap-copp)# exit| 8. | Create a class-map named p1 for CoPP. |
(config)# policy-map type copp p1| 9. | Attach the class-map (c1) to the policy-map and then commit. |
(config-pmap-copp)# class type copp c1
(config-pmap-copp)# commit| 10. | Enable hardware-profile filter for copp. |
(config)# hardware-profile filter ingress-ipv4-qos-copp enable
(config)# commit| 11. | Install service-policy for the policy-map p1. |
(config)# copp service-policy p1
(config)# commit
(config)# endConfiguration Snapshot
!
hardware-profile filter ingress-ipv4-qos-copp enable
hardware-profile statistics voq-full-color enable
hardware-profile statistics cfm-ccm enable
!
qos enable
qos statistics
!
no ip domain-lookup
ip domain-lookup vrf management
tfo Disable
errdisable cause stp-bpdu-guard
copp service-policy p1
no feature telnet vrf management
no feature telnet
feature ssh vrf management
no feature ssh
feature dns relay
ip dns relay
ipv6 dns relay
feature ntp vrf management
ntp enable vrf management
!
ip copp access-list 1
10 permit any 1.1.1.0/24 any
20 deny any any any
!
class-map type copp match-any c1
match access-group 1
!
policy-map type copp p1
class type copp c1
exit
!
Validation
To verify CoPP with permit action:
OcNOS#show int cpu counters queue-stats
E - Egress, I - Ingress, Q-Size is in bytes
+--------------------+--------+-----------------+-------------------+-----------
------+-------------------+
| Queue/Class-map | Q-Size | Tx pkts | Tx bytes | Dropped p
kts | Dropped bytes |
+--------------------+--------+-----------------+-------------------+-----------
------+-------------------+
CPU0.q6 (E) 262144 33561 49871646 0
0
reserved-mc (E) 2097152 26 2204 0
0
vrrp-rip-dhcp (E) 1048576 3 1053 0
0
bpdu (E) 1048576 1 143 0
0
OcNOS#show int cpu counters queue-drop-stats
+-------------------+----------------+----------------+---------------------+
| Queue Name | Count | Last Increment | Last Increment Time |
+-------------------+----------------+----------------+---------------------+
OcNOS#show int cpu counters rate kbps
Load interval: 30 second
+-------------------+--------------+-------------+--------------+-------------+
| CPU Queue(%) | Rx kbps | Rx pps | Tx kbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
CPU0.q6 (100%) - - 9780.43 822
reserved-mc ( 0%) - - 0.12 0
bpdu ( 0%) - - 0.01 0
OcNOS#show policy-map statistics
Type qos class-map statistics:
+--------------------------------+-----------------+-----------------+----------
-------+------------------+
| Class-map | Match pkts | Match bytes | Dropped
pkts | Dropped Bytes |
+--------------------------------+-----------------+-----------------+----------
-------+------------------+
Type queuing class-map statistics:
+--------------------------------+-----------------+-----------------+----------
-------+------------------+
| Class-map | Total pkts | Total bytes | Dropped
pkts | Dropped Bytes |
+--------------------------------+-----------------+-----------------+----------
-------+------------------+
ce65
q6 1 90 0
0
xe4
q6 2 188 0
0
xe27
q6 1 90 0
0
xe30
q6 3 270 0
0
Type CoPP class-map statistics:
+--------------------------------+-----------------+-----------------+----------
-------+------------------+
| Class-map | Total pkts | Total bytes | Dropped
pkts | Dropped Bytes |
+--------------------------------+-----------------+-----------------+----------
-------+------------------+
copp
c1 150861 224179446 -
Use the command clear interface cpu counters to clear the cpu counters rate and cpu counters queue-statistics. and clear qos statistics to clear copp type policy-map statistics.
Verify packets drop in the hardware when they hit deny action by using the show command below:
OcNOS#show hardware-discard-counters
Unit :0
+--------------------------------------------------+--------------------+
| Registers |Core 0 |
+--------------------------------------------------+--------------------+
CGM_VOQ_SRAM_ENQ_RJCT_PKT_CTR 88232
CGM_QNUM_NOT_VALID_PKT_CTR 88232
CoPP Policer Configuration
Follow these steps to configure CoPP policing:
| 1. | Enter Configuration Mode: |
# configure terminal| 2. | Create an IP access list named acl for CoPP. |
(config)# ip copp access-list acl| 3. | Define ACEs to permit IP packets to any destination. |
(config-ip-copp-acl)# permit any any any| 4. | Exit access list configuration mode. |
(config-ip-copp-acl)# exit| 5. | Enable QoS, statistics monitoring, and commit the changes. |
(config)# qos enable
(config)# qos statistics
(config)# commit| 6. | Create a class-map named c1 for CoPP. |
(config)# class-map type copp match-any c1| 7. | Associate the previously created acl with the class-map, and then exit. |
(config-cmap-copp)# match access-group acl
(config-cmap-copp)# exit| 8. | Create a class-map named p1 for CoPP. |
(config)# policy-map type copp p1| 9. | Attach the class-map (c1) to the policy-map and then commit. |
(config-pmap-copp)# class type copp c1
(config-pmap-copp)# commit| 10. | Configure the Policer (Rate Limiting). |
(config-pmap-c-copp)# police cir 100 kbps
(config-pmap-c-copp)# commitCPU queue rate limits take precedence over CoPP policing configurations when the policer rate exceeds the allowed CPU queue limit. The final enforced rate is determined by the lower of the two values.
| 11. | Enable hardware-profile filter for copp.. |
(config)# hardware-profile filter ingress-ipv4-qos-copp enable
(config)# commit| 12. | Install service-policy for the policy-map p1. |
(config)# copp service-policy p1
(config)# commit
(config)# endConfiguration Snapshot
!
hardware-profile filter ingress-ipv4-qos-copp enable
hardware-profile statistics voq-full-color enable
hardware-profile statistics cfm-ccm enable
!
qos enable
qos statistics
!
no ip domain-lookup
ip domain-lookup vrf management
tfo Disable
errdisable cause stp-bpdu-guard
copp service-policy p1
no feature telnet vrf management
no feature telnet
feature ssh vrf management
no feature ssh
feature dns relay
ip dns relay
ipv6 dns relay
feature ntp vrf management
ntp enable vrf management
!
ip copp access-list 1
10 permit any 1.1.1.0/24 any
!
class-map type copp match-any c1
match access-group 1
!
policy-map type copp p1
class type copp c1
police cir 100 kbps
exit
!
Validation
Verify the CoPP policer:
OcNOS#show int cpu counters queue-stats
E - Egress, I - Ingress, Q-Size is in bytes
+--------------------+--------+-----------------+-------------------+-----------------+-------------------+
| Queue/Class-map | Q-Size | Tx pkts | Tx bytes | Dropped pkts | Dropped bytes |
+--------------------+--------+-----------------+-------------------+-----------------+-------------------+
CPU0.q6 (E) 262144 14852 22070072 14702 21847172
reserved-mc (E) 2097152 20 1612 0 0
link-local (E) 1048576 4 304 0 0
bpdu (E) 1048576 1 143 0 0
OcNOS#
OcNOS#
OcNOS#show policy-map statistics
Type qos class-map statistics:
+--------------------------------+-----------------+-----------------+-----------------+------------------+
| Class-map | Match pkts | Match bytes | Dropped pkts | Dropped Bytes |
+--------------------------------+-----------------+-----------------+-----------------+------------------+
Type queuing class-map statistics:
+--------------------------------+-----------------+-----------------+-----------------+------------------+
| Class-map | Total pkts | Total bytes | Dropped pkts | Dropped Bytes |
+--------------------------------+-----------------+-----------------+-----------------+------------------+
ce67
q6 2 188 0 0
xe3
q6 1 98 0 0
Type CoPP class-map statistics:
+--------------------------------+-----------------+-----------------+-----------------+------------------+
| Class-map | Total pkts | Total bytes | Dropped pkts | Dropped Bytes |
+--------------------------------+-----------------+-----------------+-----------------+------------------+
copp
c1 16824 25000464 16655 24749330
OcNOS#
OcNOS#sh int cpu counters rate kbps
Load interval: 30 second
+-------------------+--------------+-------------+--------------+-------------+
| CPU Queue(%) | Rx kbps | Rx pps | Tx kbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
CPU0.q6 ( 10%) - - 97.37 7
reserved-mc ( 0%) - - 0.49 0
link-local ( 0%) - - 0.09 0
bpdu ( 0%) - - 0.04 0
OcNOS#
OcNOS#show int cpu counters queue-drop-stats
+-------------------+----------------+----------------+---------------------+
| Queue Name | Count | Last Increment | Last Increment Time |
+-------------------+----------------+----------------+---------------------+
CPU0.q6 293 62 0
Implementation Example
-
To prevent a specific stream from consuming the CPU queue's allocated bandwidth for any protocol, classify packets based on their source and destination IP addresses. Then, apply a policer in the ACL to enforce rate limits, ensuring traffic is controlled before it impacts CPU queue performance.
-
To monitor the traffic volume of each protocol from a specific source IP or involving fragments, CoPP ACLs can be configured with a permit rule and no action. This setup implicitly enables the count action, which records the total amount of classified traffic reaching the CPU. Based on the results, the administrator can apply a policer to control the streams or deny packets from a specific source or destined for a particular L4 port.