# Control Plane Policing
#### Lab file
{% file src="/files/nKt6EZPkGa9niqHVRKEI" %}
#### Startup configs
{% file src="/files/ZRb3kozTy5BvdwYKzZL8" %}
IP addresses and OSPF are already preconfigured.
1. On R2, configure CoPP to drop ICMP above 64Kbps and SSH above 32Kbps. However, Lo1 (1.1.1.2) is a “management station” which needs unrestricted access to R2, so you should not rate-limit ICMP and SSH from 1.1.1.2.\
\
When pinging 2.2.2.2 from Lo0 on R1 with a size of 1000 bytes (8000 bits), only 8 pings should get through per second. However pings from Lo1 should work with no drops. Note that to achieve 8 pings with the 9th ping lost, I had to adjust the burst size.
```
R1#ping 2.2.2.2 source lo0 size 1000 timeout 1 repeat 27
Type escape sequence to abort.
Sending 27, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!.!!!!!!!!.!!!!!!!!.
Success rate is 88 percent (24/27), round-trip min/avg/max = 1/1/11 ms
R1#ping 2.2.2.2 source lo1 size 1000 timeout 1 repeat 27
Type escape sequence to abort.
Sending 27, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (27/27), round-trip min/avg/max = 1/1/9 m
```
2\. On XR, we cannot police traffic based on the source address. Instead simply limit ICMP to 10pps and unestablished SSH traffic to 20 pps.\
\
When pinging R3, I am only able to get 8 pings to go through, not 10. I believe this is because the burst size is not configurable.
```
R1#ping 3.3.3.3 source lo0 timeout 1 repeat 40 size 1000
Type escape sequence to abort.
Sending 40, 1000-byte ICMP Echos to 3.3.3.3, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!
Success rate is 90 percent (36/40), round-trip min/avg/max = 3/5/14 ms
```
Verify that ICMP traffic is droped and that the SSH rate has changed.
####
### Answers
1. You need to preform different policing rates on icmp and ssh, and also permit traffic from 1.1.1.2 unrestricted. I created three ACLs: one matching icmp, one matching ssh, and one for permitted hosts.
```
Extended IP access list icmp
10 permit icmp any any
Extended IP access list permited-hosts
10 permit ip any host 1.1.1.2
Extended IP access list ssh
10 permit tcp any any eq 22
```
\
Strangely, the permited-hosts logic is backwards. 1.1.1.2 is used as a destination. This is the only way traffic would match for me. When I used **1.1.1.2 any**, I never got hits.
Next I created three class-maps (not shown) and a single policy-map.
```
R2#show policy-map control-plane
Control Plane
Service-policy input: CoPP
Class-map: permited-hosts (match-all)
74 packets, 74000 bytes
5 minute offered rate 0000 bps
Match: access-group name permited-hosts
Class-map: icmp (match-all)
743 packets, 743000 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name icmp
police:
cir 64000 bps, bc 8000 bytes
conformed 652 packets, 652000 bytes; actions:
transmit
exceeded 100 packets, 100000 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps
Class-map: ssh (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ssh
police:
cir 32000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps
show run | sec policy-map
policy-map CoPP
! By not specifying anything under permited hosts, no policing is taking place.
! It is important that permited-hosts is at the top so that traffic from 1.1.1.2 isn't rate limited.
class permited-hosts
class icmp
police cir 64000 bc 8000 conform-action transmit exceed-action drop
class ssh
police 32000 conform-action transmit exceed-action drop
```
\
To achieve 8 consecutive pings I increased the burst rate for icmp. Otherwise, the default burst size was too low and after two pings, the bps rate was exceed at the fractional second level. (The router polices based on a fraction of a second, so for example 64000/8 bps were exceeded within 1/8 of a second).
To test this hypothesis, I used a VyOS router which allows for a configurable ping interval. If I ping at an interval of 1/9 seconds (0.111 repeating) with 1000byte packets, then the burst rate is not exceeded and I can fit 8 pings into a second, with the 9th packet dropping.
```
! From the CSR1000v, pings are sent too quickly:
R1#ping 2.2.2.2 source lo0 size 1000 timeout 1 repeat 10
Type escape sequence to abort.
Sending 10, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1
!!.!!.!!.!
Success rate is 70 percent (7/10), round-trip min/avg/max = 1/1/2 ms
! From VyOS I can tune the ping interval. At .111 seconds, the ninth ping is dropped.
vyos@vyos:~$ ping 2.2.2.2 interval .111 size 1000
PING 2.2.2.2 (2.2.2.2) 1000(1028) bytes of data.
1008 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=1.38 ms
1008 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=1.56 ms
1008 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=2.07 ms
1008 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=1.98 ms
1008 bytes from 2.2.2.2: icmp_seq=5 ttl=254 time=1.83 ms
1008 bytes from 2.2.2.2: icmp_seq=6 ttl=254 time=2.16 ms
1008 bytes from 2.2.2.2: icmp_seq=7 ttl=254 time=2.42 ms
1008 bytes from 2.2.2.2: icmp_seq=8 ttl=254 time=2.24 ms
1008 bytes from 2.2.2.2: icmp_seq=10 ttl=254 time=2.08 ms
```
2. LPTS is much more simple to configure on XR.
```
lpts pifib hardware police
flow icmp local rate 10
flow ssh default rate 20
```
\
To verify use the following show command:
```
RP/0/RP0/CPU0:XR3#show lpts pifib hardware police location 0/0/CPU0 | in "SSH|---|flow_type"
Tue Nov 8 14:07:26.160 UTC
-------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ ----------- --------- ----------
flow_type priority sw_police_id hw_policer_addr Cur. Rate burst static_avgrate avgrate_type AggrAccepts AggrDrops TOS Value
-------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ ----------- --------- ----------
SSH-known medium 27 240 300 150 300 Static 0 0 01234567
SSH-default low 28 241 20 100 200 Global 0 0 01234567
RP/0/RP0/CPU0:XR3#show lpts pifib hardware police location 0/0/CPU0 | in "ICMP|---|flow_type"
Tue Nov 8 14:20:57.928 UTC
-------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ ----------- --------- ----------
flow_type priority sw_police_id hw_policer_addr Cur. Rate burst static_avgrate avgrate_type AggrAccepts AggrDrops TOS Value
-------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ ----------- --------- ----------
ICMP-local medium 12 225 10 750 1500 Global 112 12 01234567
ICMP-control high 40 253 1000 500 1000 Static 0 0 01234567
ICMP-app low 52 265 1500 750 1500 Static 0 0 01234567
ICMP-default low 53 266 1500 750 1500 Static 0 0 01234567
ICMP-app-default low 90 303 1500 750 1500 Static 0 0 01234567
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ccnp-sp.gitbook.io/studyguide/labs/lab-challenges/control-plane-policing.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.