Documente Academic
Documente Profesional
Documente Cultură
Task
Enhance R3 protection by dropping packets going to all closed ports.
Ensure that this does not affect connections made on ports 3020 and 4040.
To reduce the effect of broadcast storms, limit the rate of input non-IP packets to 100 per second.
Set the queue-limit for input HTTP packets to 100 packets and limit the packet rate to 10 per
second.
Ensure that all fragmented packets transiting the router are limited to 1 Mpps.
Notice that in the above configuration, the police command specifies the rate in packets per second
and the burst size in packets. This police command is only applicable to the control-plane policy. In
addition to the input policy, you can also configure output policing and limit the rate of the packets
produced by the routers control plane.
Using the demonstrated aggregate form of policing alone, you increase the level of your routers
protection. However, CPPr extends CPP and makes it even more granular. CPPr treats the Route
Processor (RP) as a virtual interface attached to the router. All packets redirected to the RP are
classified into three categories corresponding to three subinterfaces of the virtual interface:
Control-plane host subinterface. This interface receives all control-plane TCP/UDP traffic that is
directly destined for one of the router interfaces. Examples of control-plane host traffic include
management traffic and routing protocols. Note however, that non-TCP/UDP control traffic will end
up on the CEF-exception sub-interface. Most control plane protection features operate on this
subinterface, and thus this subinterface provides more features, such as policing, port filtering, and
per-protocol queue thresholds.
Port-filtering allows for automatically dropping of packets destined for the TCP/UDP ports not
currently open in the router. The operating system automatically detects all open ports, and you
can manually configure some exceptions. The net effect is reduced load on the routers CPU during
the times of flooding attacks.
Per-protocol queue thresholds allow setting of selective queue limits for packets of different type,
such as BGP, OSPF, FTP, DNS, HTTP, IGMP, SNMP, and so on.
Control-plane transit subinterface. This subinterface is intended to handle transit IP packets not
handled via the CEF mechanism that need to be switching in the processor context. This might
happen, for instance, when a packet must be routed out of Ethernet interface and no ARP lookup
has been made yet for the next-hop, making the CEF adjacency incomplete.
Control-plane CEF exception subinterface. This is where packets causing an exception in CEF
switching path land. So far, this includes non-IP router-destined traffic, such as CDP, L2 keepalive
messages (such as Frame-Relay LMI keepalives) or ARP packets and IP packets with options or
TTL <=1. Additionally, non-UDP local multicast traffic destined to the router (such as OSPF
updates) falls into this category as well.
You may apply a separate rate-limiting policy to any of the sub-interfaces or have a single
aggregate policy embracing all subinterfaces (classic control plane policing). It is possible to
configure both the subinterface and aggregate policy, but this feature can be unstable in many
12.4T images. It's better practice to configure either aggregate or subinterface-specific policies.
Before any packet reaches any specific control plane subinterface, it is first processed via a series
of ingress features including input access-list, uRP checks, and aggregate control-plane policy.
After passing the subinterface-specific policy, the packet is enqueued onto the respective interface
input queue and handled via SPD (selective packet discard) policy.
Now we move on to our task. Start by defining class-maps to select control-plane traffic. Those are
regular L3/L4 class-maps, matching access-lists/DSCP values, etc. You cannot use NBAR for
control-plane traffic classification. Next, define a regular policy map and assign classes to it,
applying the desired actions. The policing command is the same as described above, based on
packet rate per second. However, after this the configuration begins to differ. First you must create
a class-map defining the ports to be filtered. The command is
class-map type port-filter [match-all | match-any] <NAME>.
The first match command auto-detects all open ports in the system and selects all other ports as
closed. To check the ports currently detected as open, use the command
show control-plane host open ports. As you can see, you may add your own ports using the
match port statement. You can also use the match not port command to unblock a port that
is not automatically detected by the system as open. For example, if you have a rotary-group 30
configured on a VTY line, you might want to make sure that TCP port 3020 is not blocked. You can
use the following configuration.
To apply the port filtering settings, create a port-filtering policy-map and apply it to the host controlplane subinterface.
This configuration will effectively drop all packets destined to closed ports before affecting the
routers CPU. The last feature to discuss is per-protocol input queue thresholds. As mentioned,
those allow for differentiated per-protocol services on the control-plane host interface. To define a
queue threshold, first create a special queue-threshold class-map. This class-map should match
one or many of the supported protocols.
As you can see, the list is pretty extensive. You can use the special command
match host-protocols to select all TCP/UDP-based protocols running on the router and set a
queue threshold for those. Packets are classified when they enter the router and are redirected to
the host subinterface. After you have the special class-map defined, you may configure a special
queue-threshold policy-map and apply it to the host subinterface:
The queue limit is set in packets. This is the separate limit enforced for this particular protocol in
the common input queue. There could be only one input queue-threshold policy-map, but you can
configure every class with a separate limit.
R3:
!
! ACL to select fragmented IP packets
!
policy-map CEF_EXCEPTION_RATE_LIMIT
class class-default
police rate 100 pps burst 20 packets
!
policy-map TRANSIT_RATE_LIMIT
class FRAGMENTS
police rate 1000000 pps
!
! Applying the policies together
!
control-plane host
service-policy input HOST_RATE_LIMIT
service-policy type queue-threshold input HOST_QUEUE_THRESHOLD
service-policy type port-filter input HOST_PORT_FILTER
!
control-plane transit
service-policy input TRANSIT_RATE_LIMIT
!
control-plane cef-exception
service-policy input CEF_EXCEPTION_RATE_LIMIT
To verify, configure an HTTP server in R3 and simulate an HTTP connection from R1 to R3.
R3:
R3(config)#
R3(config)#ip http server
R3(config)#
R1:
R1#telnet 136.1.13.3 80
Trying 136.1.13.3, 80 ... Open
GET http://1
HTTP/1.1 400 Bad Request
Date: Wed, 16 Jan 2013 18:58:34 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 136.1.13.3 closed by foreign host]
R1#
Check the port-filter policy map applied to the host subinterface. To do this, configure R3 to listen
on port 3020 by setting up a rotary group number on any VTY line. Notice that the list of autodetected open ports does not include the ports manually added to the policy-map.
R3:
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#line vty 0
R3(config-line)# rotary 20
R3(config-line)#end
R3#
R3#
R3#show control-plane host open-ports
Active internet connections (servers and established)
Prot
vice
R3#
*:0
Te
*:80
*:0
HTTP
*:80
*:0
HTTP
*:1975
*:0
LISTEN
udp
IPC
*:23
LISTEN
tcp
CORE
Ser
LISTEN
tcp
CORE
Foreign Address
State
tcp
lnet
Local Address
LISTEN
R1:
Check the queue thresholds for HTTP traffic class next. Notice that there are matches because we
connected to the router using HTTP.
R3#
R3#show policy-map type queue-threshold control-plane host
queue-limit 100
queue-count 0
Check the CEF-exceptions subinterface statistics. There are packets matching this sub-interface
because all non-IP keepalives, CDP packets, non-IP multicast hit this interface.