We will discuss in this topic how to secure the control plane after we finished at the previous lecture “Securing the Management Plane“.
Control plane packets are network device–generated or received packets that are used for the creation and operation of the network itself.
From the perspective of the network device,control plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Some examples of control plane functions include routing protocols (for example, BGP, OSPF, EIGRP), as well as protocols like Internet Control Message Protocol (ICMP) and the Resource Reservation Protocol (RSVP).
So, The fateful issue to protect the control plane is minimizing the amount of CPU load as much as we can.
Some of the packets and traffic which handled by the CPU:
Receive adjacency traffic: This indication is for any IP address that requires direct handling by the Cisco device CPU which is refereed by the term receive in the show ip cef command-line interface (CLI) output.
■ Access control list (ACL) logging:
The log and log-input options apply to an ACL entries and cause packets that match the ACL entry to be logged.
■ Unicast Reverse Path Forwarding (URPF):
Security feature works by enabling a router to verify the reachability of the source address in packets being forwarded.
■ IP options:
Any IP packets with options included must be processed by the CPU.
Any IP packet that requires fragmentation must be passed to the CPU for processing.
■ Time-To-Live (TTL) expiry:
Packets that have a TTL value less than or equal to 1.
■ Traffic requiring an ARP request:
Destinations for which an ARP entry does not exist require processing by the CPU.
■ Non-IP traffic:
All non-IP traffi c is processed by the CPU.
Through the use of control plane policing (CoPP) and control plane protection (CPPr) we can secure the control plane.
Control Plane Policing(CoPP):
It’s a feature designed to allow users to manage the flow of traffic handled by the router processor of their network devices.
Control plane policing can be performed through the use of granular classification ACLs and the use of the show policymap control-plane command to display it.
Benefits of Control Plane Policing
Configuring the Control Plane Policing feature on your Cisco router or switch provides the following benefits:
• Protection against DoS attacks at infrastructure routers and switches.
• QoS control for packets that are destined to the control plane of Cisco routers or switches.
• Ease of configuration for control plane policies.
• Better platform reliability and availability
In below example we are about permit only the BGP and OSPF and discard any ip packet has a ttl less than 2 to reach the Cisco device CPU.
Control Plane Protection(CPPr):
The Control Plane Protection feature is an extension of the policing functionality provided by the existing Control-plane Policing feature. The Control-plane Policing feature allows Quality of Service (QoS) policing of aggregate control-plane traffic destined to the route processor.
Additionally , the CPPr feature provides the following:
• Port-filtering feature: Enables the policing and dropping of packets that are sent to closed or non-listening TCP or UDP ports.
•Queue-thresholding feature: Limits the number of packets for a specified protocol that are allowed in the control-plane IP input queue.
For more details about this technique, you can refer to below link.
By: Hatem Farag | CCIE#54446