Control Plane Policing

Lab file

18KB

Challenge - Control Plane Policing.yaml

Startup configs

7KB

copp_initial_configs.zip

archive

IP addresses and OSPF are already preconfigured.

1. On R2, configure CoPP to drop ICMP above 64Kbps and SSH above 32Kbps. However, Lo1 (1.1.1.2) is a “management station” which needs unrestricted access to R2, so you should not rate-limit ICMP and SSH from 1.1.1.2. When pinging 2.2.2.2 from Lo0 on R1 with a size of 1000 bytes (8000 bits), only 8 pings should get through per second. However pings from Lo1 should work with no drops. Note that to achieve 8 pings with the 9th ping lost, I had to adjust the burst size.

R1#ping 2.2.2.2 source lo0 size 1000 timeout 1 repeat 27 
Type escape sequence to abort.
Sending 27, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!!!!.!!!!!!!!.!!!!!!!!.
Success rate is 88 percent (24/27), round-trip min/avg/max = 1/1/11 ms

R1#ping 2.2.2.2 source lo1 size 1000 timeout 1 repeat 27
Type escape sequence to abort.
Sending 27, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.2 
!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (27/27), round-trip min/avg/max = 1/1/9 m

2. On XR, we cannot police traffic based on the source address. Instead simply limit ICMP to 10pps and unestablished SSH traffic to 20 pps. When pinging R3, I am only able to get 8 pings to go through, not 10. I believe this is because the burst size is not configurable.

R1#ping 3.3.3.3 source lo0 timeout 1 repeat 40 size 1000
Type escape sequence to abort.
Sending 40, 1000-byte ICMP Echos to 3.3.3.3, timeout is 1 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!
Success rate is 90 percent (36/40), round-trip min/avg/max = 3/5/14 ms

Verify that ICMP traffic is droped and that the SSH rate has changed.

Answers

1. You need to preform different policing rates on icmp and ssh, and also permit traffic from 1.1.1.2 unrestricted. I created three ACLs: one matching icmp, one matching ssh, and one for permitted hosts.

   Extended IP access list icmp
       10 permit icmp any any
   Extended IP access list permited-hosts
       10 permit ip any host 1.1.1.2
   Extended IP access list ssh
       10 permit tcp any any eq 22

   Strangely, the permited-hosts logic is backwards. 1.1.1.2 is used as a destination. This is the only way traffic would match for me. When I used 1.1.1.2 any, I never got hits.

   Next I created three class-maps (not shown) and a single policy-map.

   R2#show policy-map control-plane 
    Control Plane 
   
     Service-policy input: CoPP
   
       Class-map: permited-hosts (match-all)  
         74 packets, 74000 bytes
         5 minute offered rate 0000 bps
         Match: access-group name permited-hosts
   
       Class-map: icmp (match-all)  
         743 packets, 743000 bytes
         5 minute offered rate 0000 bps, drop rate 0000 bps
         Match: access-group name icmp
         police:
             cir 64000 bps, bc 8000 bytes
           conformed 652 packets, 652000 bytes; actions:
             transmit 
           exceeded 100 packets, 100000 bytes; actions:
             drop 
           conformed 0000 bps, exceeded 0000 bps
   
       Class-map: ssh (match-all)  
         0 packets, 0 bytes
         5 minute offered rate 0000 bps, drop rate 0000 bps
         Match: access-group name ssh
         police:
             cir 32000 bps, bc 1500 bytes
           conformed 0 packets, 0 bytes; actions:
             transmit 
           exceeded 0 packets, 0 bytes; actions:
             drop 
           conformed 0000 bps, exceeded 0000 bps
   
   show run | sec policy-map
   policy-map CoPP
    ! By not specifying anything under permited hosts, no policing is taking place.
    ! It is important that permited-hosts is at the top so that traffic from 1.1.1.2 isn't rate limited.
    class permited-hosts
    class icmp
     police cir 64000 bc 8000 conform-action transmit  exceed-action drop 
    class ssh
     police 32000 conform-action transmit  exceed-action drop

   To achieve 8 consecutive pings I increased the burst rate for icmp. Otherwise, the default burst size was too low and after two pings, the bps rate was exceed at the fractional second level. (The router polices based on a fraction of a second, so for example 64000/8 bps were exceeded within 1/8 of a second).

   To test this hypothesis, I used a VyOS router which allows for a configurable ping interval. If I ping at an interval of 1/9 seconds (0.111 repeating) with 1000byte packets, then the burst rate is not exceeded and I can fit 8 pings into a second, with the 9th packet dropping.

   ! From the CSR1000v, pings are sent too quickly:
   R1#ping 2.2.2.2 source lo0 size 1000 timeout 1 repeat 10
   Type escape sequence to abort.
   Sending 10, 1000-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds:
   Packet sent with a source address of 1.1.1.1 
   !!.!!.!!.!
   Success rate is 70 percent (7/10), round-trip min/avg/max = 1/1/2 ms
   
   ! From VyOS I can tune the ping interval. At .111 seconds, the ninth ping is dropped.
   vyos@vyos:~$ ping 2.2.2.2 interval .111 size 1000
   PING 2.2.2.2 (2.2.2.2) 1000(1028) bytes of data.
   1008 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=1.38 ms
   1008 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=1.56 ms
   1008 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=2.07 ms
   1008 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=1.98 ms
   1008 bytes from 2.2.2.2: icmp_seq=5 ttl=254 time=1.83 ms
   1008 bytes from 2.2.2.2: icmp_seq=6 ttl=254 time=2.16 ms
   1008 bytes from 2.2.2.2: icmp_seq=7 ttl=254 time=2.42 ms
   1008 bytes from 2.2.2.2: icmp_seq=8 ttl=254 time=2.24 ms
   1008 bytes from 2.2.2.2: icmp_seq=10 ttl=254 time=2.08 ms

2. LPTS is much more simple to configure on XR.

   lpts pifib hardware police
    flow icmp local rate 10
    flow ssh default rate 20

   To verify use the following show command:

   RP/0/RP0/CPU0:XR3#show lpts pifib hardware police location 0/0/CPU0 | in "SSH|---|flow_type" 
   Tue Nov  8 14:07:26.160 UTC
   -------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ----------
   flow_type            priority sw_police_id hw_policer_addr Cur. Rate  burst static_avgrate avgrate_type AggrAccepts   AggrDrops     TOS Value 
   -------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ---------- 
   SSH-known            medium   27           240             300        150   300            Static       0             0             01234567  
   SSH-default          low      28           241             20         100   200            Global       0             0             01234567
   
   RP/0/RP0/CPU0:XR3#show lpts pifib hardware police location 0/0/CPU0 | in "ICMP|---|flow_type"
   Tue Nov  8 14:20:57.928 UTC
   -------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ----------
   flow_type            priority sw_police_id hw_policer_addr Cur. Rate  burst static_avgrate avgrate_type AggrAccepts   AggrDrops     TOS Value 
   -------------------- -------- ------------ --------------- ---------- ----- -------------- ------------ -----------   ---------     ---------- 
   ICMP-local           medium   12           225             10         750   1500           Global       112           12            01234567  
   ICMP-control         high     40           253             1000       500   1000           Static       0             0             01234567  
   ICMP-app             low      52           265             1500       750   1500           Static       0             0             01234567  
   ICMP-default         low      53           266             1500       750   1500           Static       0             0             01234567  
   ICMP-app-default     low      90           303             1500       750   1500           Static       0             0             01234567