The (Unofficial) CCNP-SP Study Guide
  • About
    • About the Author
    • About This Study Guide
  • MPLS
    • LDP
      • LDP Transport Address
      • LDP Conditional Advertisement
      • LDP Authentication
      • LDP/IGP Sync
      • LDP Session Protection
    • MPLS-TE
      • MPLS-TE Basics, Pt. 1 (TED)
      • MPLS-TE Basics, Pt.2 (RSVP)
      • MPLS-TE Basics, Pt.3 (CSPF)
      • MPLS-TE Basics, Pt.4 (Routing)
      • MPLS-TE Fast Reroute (FRR)
      • MPLS-TE with OSPF
    • Unified MPLS
    • Segment Routing
      • Introduction, Theory Pt.1
      • Introduction, Lab (OSPF) Pt.2
      • Introduction, Lab (ISIS) Pt. 3
      • Multi-Area/Level Segment Routing
      • Segment Routing using BGP
      • Migrating LDP to SR
      • LDP/SR Interworking
      • TI-LFA Pt. 1 (Theory)
      • TI-LFA Pt. 2 (Implementation)
      • TI-LFA Pt. 3 (Node and SRLG Protection)
      • SR-TE Pt. 1 (Overview)
      • SR-TE Pt. 2 (Creating an SR-TE Policy)
      • SR-TE Pt. 3 (Using a PCE)
      • SR-TE Pt. 4 (Automated Steering)
      • SR-TE Pt. 5 (On-Demand Nexthop)
      • SR-TE Pt. 6 (Flex Algo)
    • MPLS OAM
      • Classic Traceroute Behavior in MPLS Networks
      • LSP Ping
      • LSP Traceroute
  • Routing
    • BGP
      • BGP Synchronization
      • BGP Load Sharing (Multipath)
      • An Intuitive Look at Path Attributes
      • AS Path Prepending on XE and XR
      • RPL
    • BGP Security
      • BGP TTL Security, Pt. 1
      • BGP TTL Security, Pt. 2 (IOS-XE)
      • BGP TTL Security, Pt. 3 (IOS-XR)
      • BGP MD5 Authentication
      • BGP Maximum Prefixes
      • BGP RFD (Route Flap Dampening)
      • RTBH
      • Flowspec
      • BGPsec
    • L3VPN
      • An In-Depth Look at RD and RT, Pt. 1
      • An In-Depth Look at RD and RT, Pt. 2
      • An In-Depth Look at RD and RT, Pt. 3
      • An In-Depth Look at RD and RT, Pt. 4
      • Inter-AS L3VPN Pt. 1, Overview
      • Inter-AS L3VPN Pt. 2, Option A
      • Inter-AS L3VPN Pt. 3, Option B
      • Inter-AS L3VPN Pt. 4, Option C
      • CSC (Carrier Supporting Carrier)
      • PE NAT
    • OSPF
      • Type 7 to Type 5 Translation
      • OSPF Authentication
      • Troubleshooting OSPF Adjacencies
      • OSPFv3 LSA Types
      • OSPFv3 LSAs Example (Single Area)
    • ISIS
      • The Potential for Asymmetric Routing with Multi-Area ISIS
      • Interarea Routing is Distance-Vector
      • Basic ISIS - LSPDB
      • Multitopology
      • What is the role of CLNS and CLNP in ISIS?
      • Troubleshooting ISIS Adjacencies
    • IPv6 Transition
      • Overview
      • NAT64
      • 6to4
      • 6RD (IPv6 Rapid Deployment)
      • DS Lite (Dual Stack Lite)
      • MAP (Mapping of Address and Port)
      • Tunneling IPv6 Dynamic Routing Protocols over IPv4
    • Multicast
      • Introduction
      • IP and MAC Addressing
      • Tree Formation and Packet Forwarding
      • IGMP
      • PIM-DM (Dense Mode)
      • PIM-SM (Sparse Mode)
      • PIM-SM SPT Switchover
      • PIM-SM Tunnel Interfaces
      • PIM DR and the Assert Message
      • PIM-SM RP Discovery
      • PIM-BiDir
      • PIM-SSM (Source-Specific Multicast)
      • Interdomain Multicast (PIM-SM)
      • IPv6 Multicast
      • mVPN Introduction
      • mVPN Profile 0
      • mVPN Profile 1
      • Multicast Routing on IOS-XR
  • L2VPN & Ethernet
    • IOS-XE Ethernet Services
      • Service Instances
      • E-Line
      • E-LAN (VPLS)
      • E-Tree
      • E-Access
      • VPLS with BGP Autodiscovery
      • Martini/Kompella Circuits
    • EVPN
      • Introduction to EVPN
      • Learning EVPN VXLAN First
      • E-Line (EVPN VPWS)
      • E-Line (EVPN VPWS) on IOS-XR
      • E-Line (EVPN VPWS) Multi-Homed
      • E-LAN (EVPN Single-Homed)
    • Carrier Ethernet
      • 802.1ah (MAC-in-MAC)
      • 802.3ah (Ethernet OAM)
      • 802.1ag (CFM)
      • Cisco REP (Resilient Ethernet Protocol)
      • ITU G.8032 ERPS (Ethernet Ring Protection Switching)
  • Security
    • CoPP (Control Plane Policing)
    • LPTS (Local Packet Transport Services)
  • Misc
    • QoS
      • QoS Introduction (Part 1)
      • QoS Tools Overview and QoS Models (Part 2)
      • QoS Classification and Marking (Part 3)
      • QoS Queuing/Congestion Management (Part 4)
      • QoS Shaping and Policing (Part 5)
      • QoS for IPv6
      • MPLS QoS Basics
      • MPLS QoS Modes
      • MPLS TE QoS (DS-TE)
      • MPLS TE CBTS/PBTS
    • Automation and Assurance
      • NSO
      • NSO Command Cheat Sheet
      • Intro to YANG/NETCONF
      • YANG In-Depth
      • NETCONF In-Depth
      • RESTCONF
      • Model-Driven Telemetry
      • Automation Tool Comparison
      • Netflow
      • SNMP
    • Virtualization
      • NFV (Network Function Virtualization)
      • OpenStack
    • Transport
      • xPON
      • SONET/SDH
      • WDM
      • 4G and 5G RAN
    • High Availability (HA)
      • NSF/GR
      • NSR
      • NSF/NSR Whitepapers
      • BFD
      • Link Aggregation on IOS-XE
      • Link Aggregation on IOS-XR
    • IOS Software Overview
  • Labs
    • Lab Challenges
      • How to Use These Labs
      • Basic LDP
      • Advanced LDP
      • BGP Security
      • Unified MPLS
      • BGP Fundamentals
      • Ethernet Services
      • L3VPN Extranet
      • Multicast
      • Inter-area OSPF
      • ISIS
      • MPLS-TE
      • Control Plane Policing
      • QoS
Powered by GitBook
On this page
  1. Labs
  2. Lab Challenges

Control Plane Policing

PreviousMPLS-TENextQoS

Last updated 2 years ago

Lab file

Startup configs

IP addresses and OSPF are already preconfigured.

  1. On R2, configure CoPP to drop ICMP above 64Kbps and SSH above 32Kbps. However, Lo1 (1.1.1.2) is a “management station” which needs unrestricted access to R2, so you should not rate-limit ICMP and SSH from 1.1.1.2. When pinging 2.2.2.2 from Lo0 on R1 with a size of 1000 bytes (8000 bits), only 8 pings should get through per second. However pings from Lo1 should work with no drops. Note that to achieve 8 pings with the 9th ping lost, I had to adjust the burst size.

R1#ping 2.2.2.2 source lo0 size 1000 timeout 1 repeat 27 
Type escape sequence to abort.
Sending 27, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!!!!.!!!!!!!!.!!!!!!!!.
Success rate is 88 percent (24/27), round-trip min/avg/max = 1/1/11 ms

R1#ping 2.2.2.2 source lo1 size 1000 timeout 1 repeat 27
Type escape sequence to abort.
Sending 27, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.2 
!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (27/27), round-trip min/avg/max = 1/1/9 m

2. On XR, we cannot police traffic based on the source address. Instead simply limit ICMP to 10pps and unestablished SSH traffic to 20 pps. When pinging R3, I am only able to get 8 pings to go through, not 10. I believe this is because the burst size is not configurable.

R1#ping 3.3.3.3 source lo0 timeout 1 repeat 40 size 1000
Type escape sequence to abort.
Sending 40, 1000-byte ICMP Echos to 3.3.3.3, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!
Success rate is 90 percent (36/40), round-trip min/avg/max = 3/5/14 ms

Verify that ICMP traffic is droped and that the SSH rate has changed.

Answers

  1. You need to preform different policing rates on icmp and ssh, and also permit traffic from 1.1.1.2 unrestricted. I created three ACLs: one matching icmp, one matching ssh, and one for permitted hosts.

    Extended IP access list icmp
        10 permit icmp any any
    Extended IP access list permited-hosts
        10 permit ip any host 1.1.1.2
    Extended IP access list ssh
        10 permit tcp any any eq 22

    Strangely, the permited-hosts logic is backwards. 1.1.1.2 is used as a destination. This is the only way traffic would match for me. When I used 1.1.1.2 any, I never got hits.

    Next I created three class-maps (not shown) and a single policy-map.

    R2#show policy-map control-plane 
     Control Plane 
    
      Service-policy input: CoPP
    
        Class-map: permited-hosts (match-all)  
          74 packets, 74000 bytes
          5 minute offered rate 0000 bps
          Match: access-group name permited-hosts
    
        Class-map: icmp (match-all)  
          743 packets, 743000 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: access-group name icmp
          police:
              cir 64000 bps, bc 8000 bytes
            conformed 652 packets, 652000 bytes; actions:
              transmit 
            exceeded 100 packets, 100000 bytes; actions:
              drop 
            conformed 0000 bps, exceeded 0000 bps
    
        Class-map: ssh (match-all)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: access-group name ssh
          police:
              cir 32000 bps, bc 1500 bytes
            conformed 0 packets, 0 bytes; actions:
              transmit 
            exceeded 0 packets, 0 bytes; actions:
              drop 
            conformed 0000 bps, exceeded 0000 bps
    
    show run | sec policy-map
    policy-map CoPP
     ! By not specifying anything under permited hosts, no policing is taking place.
     ! It is important that permited-hosts is at the top so that traffic from 1.1.1.2 isn't rate limited.
     class permited-hosts
     class icmp
      police cir 64000 bc 8000 conform-action transmit  exceed-action drop 
     class ssh
      police 32000 conform-action transmit  exceed-action drop

    To achieve 8 consecutive pings I increased the burst rate for icmp. Otherwise, the default burst size was too low and after two pings, the bps rate was exceed at the fractional second level. (The router polices based on a fraction of a second, so for example 64000/8 bps were exceeded within 1/8 of a second).

    To test this hypothesis, I used a VyOS router which allows for a configurable ping interval. If I ping at an interval of 1/9 seconds (0.111 repeating) with 1000byte packets, then the burst rate is not exceeded and I can fit 8 pings into a second, with the 9th packet dropping.

    ! From the CSR1000v, pings are sent too quickly:
    R1#ping 2.2.2.2 source lo0 size 1000 timeout 1 repeat 10
    Type escape sequence to abort.
    Sending 10, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
    Packet sent with a source address of 1.1.1.1 
    !!.!!.!!.!
    Success rate is 70 percent (7/10), round-trip min/avg/max = 1/1/2 ms
    
    ! From VyOS I can tune the ping interval. At .111 seconds, the ninth ping is dropped.
    vyos@vyos:~$ ping 2.2.2.2 interval .111 size 1000
    PING 2.2.2.2 (2.2.2.2) 1000(1028) bytes of data.
    1008 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=1.38 ms
    1008 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=1.56 ms
    1008 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=2.07 ms
    1008 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=1.98 ms
    1008 bytes from 2.2.2.2: icmp_seq=5 ttl=254 time=1.83 ms
    1008 bytes from 2.2.2.2: icmp_seq=6 ttl=254 time=2.16 ms
    1008 bytes from 2.2.2.2: icmp_seq=7 ttl=254 time=2.42 ms
    1008 bytes from 2.2.2.2: icmp_seq=8 ttl=254 time=2.24 ms
    1008 bytes from 2.2.2.2: icmp_seq=10 ttl=254 time=2.08 ms

  2. LPTS is much more simple to configure on XR.

    lpts pifib hardware police
     flow icmp local rate 10
     flow ssh default rate 20

    To verify use the following show command:

    RP/0/RP0/CPU0:XR3#show lpts pifib hardware police location 0/0/CPU0 | in "SSH|---|flow_type" 
    Tue Nov  8 14:07:26.160 UTC
    -------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ----------
    flow_type            priority sw_police_id hw_policer_addr Cur. Rate  burst static_avgrate avgrate_type AggrAccepts   AggrDrops     TOS Value 
    -------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ---------- 
    SSH-known            medium   27           240             300        150   300            Static       0             0             01234567  
    SSH-default          low      28           241             20         100   200            Global       0             0             01234567
    
    RP/0/RP0/CPU0:XR3#show lpts pifib hardware police location 0/0/CPU0 | in "ICMP|---|flow_type"
    Tue Nov  8 14:20:57.928 UTC
    -------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ----------
    flow_type            priority sw_police_id hw_policer_addr Cur. Rate  burst static_avgrate avgrate_type AggrAccepts   AggrDrops     TOS Value 
    -------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ---------- 
    ICMP-local           medium   12           225             10         750   1500           Global       112           12            01234567  
    ICMP-control         high     40           253             1000       500   1000           Static       0             0             01234567  
    ICMP-app             low      52           265             1500       750   1500           Static       0             0             01234567  
    ICMP-default         low      53           266             1500       750   1500           Static       0             0             01234567  
    ICMP-app-default     low      90           303             1500       750   1500           Static       0             0             01234567
18KB
Challenge - Control Plane Policing.yaml
7KB
copp_initial_configs.zip
archive