Cisco Network Infrastructure Security: Control Plane Policing Concepts and Configuration

Date: Jul 21, 2011

Return to the article

The typical focus when dealing with network security is those end systems that are used to hold information like e-commerce or database systems. But what would happen to the security of these systems if the infrastructure that they rely on to forward their traffic is exploited? These pieces of equipment cannot hide behind a large sophisticated firewall as they are used to forward traffic and must be able to process it without adding considerable delay. Cisco has developed a feature to specifically protect these pieces of equipment from attack; this feature includes the control plane policing feature. This article takes a looks at this feature, examining what it is, how it works and how it can be configured to secure this equipment.

The typical focus when dealing with network security is those end systems that are used to hold information, like e-commerce or database systems. But what would happen to the security of these systems if the infrastructure that they rely on to forward their traffic is exploited? These pieces of equipment cannot hide behind a large sophisticated firewall as they are used to forward traffic and must be able to process it without adding considerable delay. Cisco has developed a feature to specifically protect these pieces of equipment from attack: the control plane policing feature. This article takes a looks at this feature, what it is, how it works, and how it can be configured to secure this equipment.

Control Plane Policing Concepts

The control plane policing feature has been developed to protect against attacks focused at these infrastructure devices; the three different types of traffic that are forwarded to the control plane include:

To best mitigate for the different types of attacks that are possible, an architecture needed to be developed that was useable with many different products and allowed for a security mechanism that secured for these different types of attack. This architecture was designed to treat the control plane as a separate entity with its own input and output ports. The layout for this architecture is shown in Figure 1.

Figure 1

This architecture includes four main components:

There are two separate paths that traffic can take when being routed to the control plane: a distributed path and a non-distributed path. With this in mind, two different levels of control plane policing were developed: one called aggregate control plane services that subjected all control plane traffic to a set of policies, and a second called distributed control plane services that allowed a set of policies to be applied to specific distributed line card. Keep in mind that regardless of whether traffic goes through a distributed line card or not, it will always be subject to aggregate control plane services. Figure 2 shows an example of how traffic destined for the control plane is processed when using distributed and non-distributed line cards.

Figure 2

Both of these different services can be used to either police or drop (on most devices) traffic that matches a configured policy. To define this policy, the Modular Quality of Service Command-Line interface (MQC) is used; this configuration is shown in the next section.

Control Plane Policing Configuration

The first thing that needs to be reviewed is the MQC and how it is used to implement control plane policing. The MQC provides a commonly used method of implementing a policy using a three-part configuration process:

The steps that are required to create a class-map, policy-map, and to apply either aggregate or distributed control plane policing on a supporting device are shown in Table 1.

Step 1

Enter global configuration mode.

router#configure terminal

Step 2

Enter class map configuration mode.

router(config)#class-map [match-any | match-all] class-map-name

The default method of matching is to match all statements that are configured.

Step 3

Configuring the matching criteria.

router(config-cmap)#match ...

There are a number of different match commands that can be used.

Step 4

Enter policy map configuration mode.

router(config-cmap)#policy-map policy-map-name

Step 5

Specify the class-map to use to match traffic for this policy.

router(config-pmap)#class class-map-name

Step 6

Specify a policy action.

router(config-pmap-c)#police rate [burst-normal] [burst-max] conform-action action exceed-action action [violate-action action]

The rate is specified in either bytes per second (bps) or packets per second (pps); the valid range for bps is 8000 through 10000000000 and for pps is 2000000.

or

router(config-pmap-c)#drop

Step 7

Enter control plane configuration mode.

Aggregate control plane policing:

router(config-pmap-c)#control-plane

or

Distributed control plane policing:

router(config-pmap-c)#control-plane [slot slot-number]

Step 8

Apply the configured policy map to the control plane.

Aggregate control plane policing:

router(config-cp)#service-policy {input | output} policy-map-name

Note: Output policing is done in silent mode with no error messages being sent

or

Distributed control plane policing:

router(config-cp)#service-policy {input} policy-map-name

Step 9

Exit to privileged mode.

router(config-cp)#end

Summary

The real tricky part of control plane policing configuration is the understanding of how a policy is created with the MQC. As the MQC is used for a number of different features other than control plane policing feature, learning how it works is well worth the time. With infrastructure devices being a big target for those looking to exploit networks, the implementation of a method to protect the control plane on these devices directly is vital. Hopefully this article has provided a starting point in learning what is possible with this feature and how it can be used to protect these network devices.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |