Control Plane Policing

Last updated 2 years ago

Control Plane Policing

Lab file

Startup configs

IP addresses and OSPF are already preconfigured.

On R2, configure CoPP to drop ICMP above 64Kbps and SSH above 32Kbps. However, Lo1 (1.1.1.2) is a “management station” which needs unrestricted access to R2, so you should not rate-limit ICMP and SSH from 1.1.1.2. When pinging 2.2.2.2 from Lo0 on R1 with a size of 1000 bytes (8000 bits), only 8 pings should get through per second. However pings from Lo1 should work with no drops. Note that to achieve 8 pings with the 9th ping lost, I had to adjust the burst size.

R1#ping 2.2.2.2 source lo0 size 1000 timeout 1 repeat 27 
Type escape sequence to abort.
Sending 27, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!!!!.!!!!!!!!.!!!!!!!!.
Success rate is 88 percent (24/27), round-trip min/avg/max = 1/1/11 ms

R1#ping 2.2.2.2 source lo1 size 1000 timeout 1 repeat 27
Type escape sequence to abort.
Sending 27, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.2 
!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (27/27), round-trip min/avg/max = 1/1/9 m

2. On XR, we cannot police traffic based on the source address. Instead simply limit ICMP to 10pps and unestablished SSH traffic to 20 pps. When pinging R3, I am only able to get 8 pings to go through, not 10. I believe this is because the burst size is not configurable.

R1#ping 3.3.3.3 source lo0 timeout 1 repeat 40 size 1000
Type escape sequence to abort.
Sending 40, 1000-byte ICMP Echos to 3.3.3.3, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!
Success rate is 90 percent (36/40), round-trip min/avg/max = 3/5/14 ms

Verify that ICMP traffic is droped and that the SSH rate has changed.

Answers

You need to preform different policing rates on icmp and ssh, and also permit traffic from 1.1.1.2 unrestricted. I created three ACLs: one matching icmp, one matching ssh, and one for permitted hosts.

Extended IP access list icmp
    10 permit icmp any any
Extended IP access list permited-hosts
    10 permit ip any host 1.1.1.2
Extended IP access list ssh
    10 permit tcp any any eq 22

Strangely, the permited-hosts logic is backwards. 1.1.1.2 is used as a destination. This is the only way traffic would match for me. When I used 1.1.1.2 any, I never got hits.

Next I created three class-maps (not shown) and a single policy-map.

R2#show policy-map control-plane 
 Control Plane 

  Service-policy input: CoPP

    Class-map: permited-hosts (match-all)  
      74 packets, 74000 bytes
      5 minute offered rate 0000 bps
      Match: access-group name permited-hosts

    Class-map: icmp (match-all)  
      743 packets, 743000 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name icmp
      police:
          cir 64000 bps, bc 8000 bytes
        conformed 652 packets, 652000 bytes; actions:
          transmit 
        exceeded 100 packets, 100000 bytes; actions:
          drop 
        conformed 0000 bps, exceeded 0000 bps

    Class-map: ssh (match-all)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name ssh
      police:
          cir 32000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          drop 
        conformed 0000 bps, exceeded 0000 bps

show run | sec policy-map
policy-map CoPP
 ! By not specifying anything under permited hosts, no policing is taking place.
 ! It is important that permited-hosts is at the top so that traffic from 1.1.1.2 isn't rate limited.
 class permited-hosts
 class icmp
  police cir 64000 bc 8000 conform-action transmit  exceed-action drop 
 class ssh
  police 32000 conform-action transmit  exceed-action drop

To achieve 8 consecutive pings I increased the burst rate for icmp. Otherwise, the default burst size was too low and after two pings, the bps rate was exceed at the fractional second level. (The router polices based on a fraction of a second, so for example 64000/8 bps were exceeded within 1/8 of a second).

To test this hypothesis, I used a VyOS router which allows for a configurable ping interval. If I ping at an interval of 1/9 seconds (0.111 repeating) with 1000byte packets, then the burst rate is not exceeded and I can fit 8 pings into a second, with the 9th packet dropping.

! From the CSR1000v, pings are sent too quickly:
R1#ping 2.2.2.2 source lo0 size 1000 timeout 1 repeat 10
Type escape sequence to abort.
Sending 10, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1 
!!.!!.!!.!
Success rate is 70 percent (7/10), round-trip min/avg/max = 1/1/2 ms

! From VyOS I can tune the ping interval. At .111 seconds, the ninth ping is dropped.
vyos@vyos:~$ ping 2.2.2.2 interval .111 size 1000
PING 2.2.2.2 (2.2.2.2) 1000(1028) bytes of data.
1008 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=1.38 ms
1008 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=1.56 ms
1008 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=2.07 ms
1008 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=1.98 ms
1008 bytes from 2.2.2.2: icmp_seq=5 ttl=254 time=1.83 ms
1008 bytes from 2.2.2.2: icmp_seq=6 ttl=254 time=2.16 ms
1008 bytes from 2.2.2.2: icmp_seq=7 ttl=254 time=2.42 ms
1008 bytes from 2.2.2.2: icmp_seq=8 ttl=254 time=2.24 ms
1008 bytes from 2.2.2.2: icmp_seq=10 ttl=254 time=2.08 ms

LPTS is much more simple to configure on XR.

lpts pifib hardware police
 flow icmp local rate 10
 flow ssh default rate 20

To verify use the following show command:

RP/0/RP0/CPU0:XR3#show lpts pifib hardware police location 0/0/CPU0 | in "SSH|---|flow_type" 
Tue Nov  8 14:07:26.160 UTC
-------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ----------
flow_type            priority sw_police_id hw_policer_addr Cur. Rate  burst static_avgrate avgrate_type AggrAccepts   AggrDrops     TOS Value 
-------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ---------- 
SSH-known            medium   27           240             300        150   300            Static       0             0             01234567  
SSH-default          low      28           241             20         100   200            Global       0             0             01234567

RP/0/RP0/CPU0:XR3#show lpts pifib hardware police location 0/0/CPU0 | in "ICMP|---|flow_type"
Tue Nov  8 14:20:57.928 UTC
-------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ----------
flow_type            priority sw_police_id hw_policer_addr Cur. Rate  burst static_avgrate avgrate_type AggrAccepts   AggrDrops     TOS Value 
-------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ---------- 
ICMP-local           medium   12           225             10         750   1500           Global       112           12            01234567  
ICMP-control         high     40           253             1000       500   1000           Static       0             0             01234567  
ICMP-app             low      52           265             1500       750   1500           Static       0             0             01234567  
ICMP-default         low      53           266             1500       750   1500           Static       0             0             01234567  
ICMP-app-default     low      90           303             1500       750   1500           Static       0             0             01234567

PreviousMPLS-TE NextQoS