Pages

Monday, 8 February 2016

Control Plane Protection (CPPr)

CPPr provides the ability to restrict and/or police traffic destined for the route processor of the IOS device. Simply put it provides a way of hardening your IOS device.

It is fairly similar to CoPP, although provides the benefit of being able to provide more granular control.

CPPr divides the control-plane into three categories, known as subinterfaces:

Host subinterface: This subinterface receives incoming traffic from one of the devices interfaces - this traffic is typically services like SSH, Telnet, OSPF, VPN Terminations etc. (This excludes layer 2 traffic like CDP and ARP - they are classed within the CEF-exception subinterface)

Transit subinterface: This subinterface controls all of the IP traffic that is traversing the router that has been switched by the route processor - but not actually traffic that is destined directly for the router.
CEF-exception subinterface: This subinterface receives traffic that is either redirected as a result of a configured input feature in the CEF packet forwarding path for process switching or directly enqueued in the control plane input queue by the interface driver (that is, ARP, external BGP (eBGP), OSPF, LDP, Layer2 Keepalives, and all non-IP host traffic). Control plane protection allows specific aggregate policing of this type of control plane traffic.
CPPr comprises of three main features:

Port-filtering - This provides enhanced protection by allowing the device to drop packets destined for closed or non-listening TCP/UDP ports of the device earlier. This feature is exclusive to the host subinterface.

Queue-thresholding - This provides a ay of limiting the number of unprocessed packets a protocol can have a process-level. This provides the benifit of ensuring that no one single protocol can consume all of the bandwidth - preventing other protocols from working. Again this can only be applied on the host subinterface.

Aggregate control-plane services - Control-plane policing provides granualr control over control-plane traffic destined for any one of the subinterfaces. And hence can be used on any control-plane traffic types (including layer 2 traffic such as CDP, ARP and so on.)

Sources: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t4/htcpp.html

No comments:

Post a Comment