Is everything that is handled by CPU....should be considered as a control
plane traffic????
Lets say NAT is handled by Router CPU traditionally...does that mean it is
control plane traffic?
The discussion should be followed as :- anything processed by Router CPU is
considered as a control plane traffic or not??? If that is answered debate
will end.... :-). My answer to that will be YES.
As far as Control plane is concerned it is the shared plane for all the
Protocols that need cpu processing. And anything that needs to be answered
by CPU, is the control plane traffic although some exceptional type of
traffic also goes through control plane. It can be considered as Bad people
in good people community. Here is the CoPP default Nexus 7K Config:-
As per this configs it states that we want to apply some policy for that
ICMP Traffic to protect control plane from overloading. So, this means it is
control plane traffic when (Unreachable, Options, Etc.) need CPU Processing
else NOT.
class-map type control-plane match-any copp-system-class-critical
match access-group name copp-system-acl-bgp
match access-group name copp-system-acl-bgp6
match access-group name copp-system-acl-eigrp
match access-group name copp-system-acl-igmp
match access-group name copp-system-acl-msdp
match access-group name copp-system-acl-ospf
match access-group name copp-system-acl-ospf6
match access-group name copp-system-acl-pim
match access-group name copp-system-acl-pim6
match access-group name copp-system-acl-rip
match access-group name copp-system-acl-vpc
class-map type control-plane match-any copp-system-class-exception
match exception ip option
match exception ip icmp unreachable
match exception ipv6 option
match exception ipv6 icmp unreachable
class-map type control-plane match-any copp-system-class-important
match access-group name copp-system-acl-cts
match access-group name copp-system-acl-glbp
match access-group name copp-system-acl-hsrp
match access-group name copp-system-acl-vrrp
match access-group name copp-system-acl-wccp
match access-group name copp-system-acl-icmp6-msgs
match access-group name copp-system-acl-pim-reg
class-map type control-plane match-any copp-system-class-management
match access-group name copp-system-acl-ftp
match access-group name copp-system-acl-ntp
match access-group name copp-system-acl-ntp6
match access-group name copp-system-acl-radius
match access-group name copp-system-acl-sftp
match access-group name copp-system-acl-snmp
match access-group name copp-system-acl-ssh
match access-group name copp-system-acl-ssh6
match access-group name copp-system-acl-tacacs
match access-group name copp-system-acl-telnet
match access-group name copp-system-acl-tftp
match access-group name copp-system-acl-tftp6
match access-group name copp-system-acl-radius6
match access-group name copp-system-acl-tacacs6
match access-group name copp-system-acl-telnet6
class-map type control-plane match-any copp-system-class-monitoring
match access-group name copp-system-acl-icmp
match access-group name copp-system-acl-icmp6
match access-group name copp-system-acl-traceroute
class-map type control-plane match-any copp-system-class-normal
match access-group name copp-system-acl-dhcp
match redirect dhcp-snoop
match protocol arp
class-map type control-plane match-any copp-system-class-redirect
match redirect arp-inspect
class-map type control-plane match-any copp-system-class-undesirable
match access-group name copp-system-acl-undesirable
policy-map type control-plane copp-system-policy
class copp-system-class-critical
police cir 39600 kbps bc 250 ms conform transmit violate drop
class copp-system-class-important
police cir 1060 kbps bc 1000 ms conform transmit violate drop
class copp-system-class-management
police cir 10000 kbps bc 250 ms conform transmit violate drop
class copp-system-class-normal
police cir 680 kbps bc 250 ms conform transmit violate drop
class copp-system-class-redirect
police cir 280 kbps bc 250 ms conform transmit violate drop
class copp-system-class-monitoring
police cir 130 kbps bc 1000 ms conform transmit violate drop
class copp-system-class-exception
police cir 360 kbps bc 250 ms conform transmit violate drop
class copp-system-class-undesirable
police cir 32 kbps bc 250 ms conform drop violate drop
class class-default
police cir 100 kbps bc 250 ms conform transmit violate drop
control-plane
service-policy input copp-system-policy
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Tyson Scott
Sent: Sunday, November 14, 2010 5:00 PM
To: 'Sadiq Yakasai'; 'ron wilkerson'
Cc: Tyson Scott; negron.paul_at_gmail.com; tron_at_huapi.ba.ar;
eliteccie_at_gmail.com; ccielab_at_groupstudy.com
Subject: RE: ICMP Query!!!
Sadiq,
Only two protocols work with NBAR classification with control plane
policing, PPPOE and ARP. That doesn't make other protocols by definition
control plane protocols. Personally I think the response by Paul to be the
most precise and to the point, even if he said ICMP instead of IGMP, in
describing control plane protocols. But at the end of the day the most
important fact is that ICMP traffic can affect the control plane of the
router and thus measures should be taken to protect the router.
When I read the statement below it says (in my view) ICMP, IP traffic with
IP options, and others "MIGHT" require handling by the route processor.
This traffic that might require processing by the route processor is often
referred to as control plane traffic.
To me it doesn't say that ICMP and IP traffic with IP options is control
plane traffic but that it might require processing at the control plane.
Thus Control Plane protection mechanisms should be put in place to prevent
such security risks.
It still does not say to me that ICMP is by definition control plane
traffic. But I think that my view is up for debate which has been more than
evident by this string of emails.
CCIE Kid I hope the purpose of your request has been answered by all of
this. And you can also see just how bull headed we all are :-)
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Saturday, November 13, 2010 4:04 PM
To: ron wilkerson
Cc: Tyson Scott; negron.paul_at_gmail.com; tron_at_huapi.ba.ar;
eliteccie_at_gmail.com; ccielab_at_groupstudy.com
Subject: Re: ICMP Query!!!
Exactly!
"The vast majority of packets handled by a router travel through the router
by way of the forwarding plane, or data plane. However, the system's route
processor must handle certain packets, such as routing protocols,
keepalives, packets destined to the local IP addresses of the router, and
packets from management protocols and other interactive access protocols,
such as Telnet and Secure Shell (SSH) Protocol. In addition, packets from
protocols such as Internet Control Message Protocol (ICMP), with IP options,
and others, might require handling by the route processor as well. This type
of traffic is often referred to as control plane traffic."
This is the same reason why using NBAR for ICMP classification when
configuring COPP does NOT work. You need to use an ACL in a class-map to
perform such classification. Very expensive lesson for me ;-)
ICMP terminating on a router, is indeed Control Plane traffic.
Sadiq
On Sat, Nov 13, 2010 at 8:30 PM, ron wilkerson <ron.wilkerson_at_gmail.com>
wrote:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/pro
d_white_paper0900aecd805ffde8.html
read the 4th paragraph.
On Sat, Nov 13, 2010 at 3:24 PM, Tyson Scott
<tyson.scott_at_advtechracks.com>wrote:
> ICMP is not control plane traffic. ICMP unreachables go to the CEF
> exception for example. Consider the control plane as protocols that
> glue the network together. ICMP traffic to the router go to the host
> control plane because of being directed to the device thus it must
> handle it. ICMP is data traffic that may be used for management
> purposes
>
> Regards,
>
> Tyson Scott
> CCIE # 13513 (R&S, Security, SP)
> Managing Partner/Technical Instructor - IPexpert Inc.
> tscott_at_ipexpert.com
>
>
> ----- Reply message -----
> From: "Paul Negron" <negron.paul_at_gmail.com>
> Date: Sat, Nov 13, 2010 2:10 pm
> Subject: ICMP Query!!!
> To: "ron.wilkerson_at_gmail.com" <ron.wilkerson_at_gmail.com>, "Carlos G
> Mendioroz" <tron_at_huapi.ba.ar>
> Cc: "CCIE KID" <eliteccie_at_gmail.com>, "Cisco certification"
> <ccielab_at_groupstudy.com>
>
>
> Very Interesting Response.
>
> I guess I primarily viewed ICMP as testing the Control Plane/ Data Plane
> with the Majority of ICMP Query types:
>
> * 0 = Echo Reply (3ping response2)
> * 8 = Echo Request (3ping query2)
> * 9 = Router Advertisement (RFC 1256)
> * 10 = Router Solicitation (RFC 1256)
> * 13 = Time Stamp Request
> * 14 = Time Stamp Reply
> * 17 = Address Mask Request
> * 18 = Address Mask Reply
>
> I know my definition is a little Narrow but it does help differentiate
ICMP
> from protocols like RSVP, PIM, EIGRP that strictly represent Control Plane
> from a Routing Switching perspective.
>
> As far as the view that because ICMP uses the CPU being a CLEAR
definition,
> this I would disagree with. What would Process Switching be then? Control
> Plane or Data Plane activity?
>
> Carlos and Ron do make a good point to expand my Narrow definition though.
> :-)
>
> Paul
>
>
> --
> Paul Negron
> CCIE# 14856 CCSI# 22752
> Senior Technical Instructor
> www.micronicstraining.com
>
>
>
> > From: <ron.wilkerson_at_gmail.com>
> > Reply-To: <ron.wilkerson_at_gmail.com>
> > Date: Fri, 12 Nov 2010 23:58:17 +0000
> > To: Paul Negron <negron.paul_at_gmail.com>, Carlos G Mendioroz <
> tron_at_huapi.ba.ar>
> > Cc: CCIE KID <eliteccie_at_gmail.com>, Cisco certification
> > <ccielab_at_groupstudy.com>
> > Subject: Re: ICMP Query!!!
> >
> > Agree with carlos...
> > I've always thought of control plane as anything that the cpu has to
look
> at.
> > Some icmp packets require the cpu, so I'd classify those icmp as control
> plane
> > packets.
> >
> >
> > Sent from my Verizon Wireless BlackBerry
> >
> > -----Original Message-----
> > From: Paul Negron <negron.paul_at_gmail.com>
> > Sender: nobody_at_groupstudy.com
> > Date: Fri, 12 Nov 2010 16:39:10
> > To: Carlos G Mendioroz<tron_at_huapi.ba.ar>
> > Reply-To: Paul Negron <negron.paul_at_gmail.com>
> > Cc: CCIE KID<eliteccie_at_gmail.com>; Cisco certification<
> ccielab_at_groupstudy.com>
> > Subject: Re: ICMP Query!!!
> >
> > It is true that they help convey information or make sure a path is
clear
> to
> > send larger packets, but ICMP is not intended to help create state
within
> > the control plane.
> >
> > Like I said....
> >
> >
> > IGMP helps to create a path in which Traffic will use.
> > ICMP uses the data plane that a control plane protocol created.
> >
> > Does anyone else have anything useful to contribute?
> >
> > I would always love to hear another explanantion that can be useful and
> I'm
> > sure CCIE KID would too, unless the "KID" already gets it.
> >
> >
> > Narbik?
> >
> >
> > --
> > Paul Negron
> > CCIE# 14856 CCSI# 22752
> > Senior Technical Instructor
> > www.micronicstraining.com
> >
> >
> >
> >> From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
> >> Date: Fri, 12 Nov 2010 17:39:56 -0300
> >> To: Paul Negron <negron.paul_at_gmail.com>
> >> Cc: CCIE KID <eliteccie_at_gmail.com>, Cisco certification
> >> <ccielab_at_groupstudy.com>
> >> Subject: Re: ICMP Query!!!
> >>
> >> I would call ICMP redirect packets a control thing though.
> >> And when using ICMP probes (echo request/reply) as part of a IP SLA
> >> construct, they are a control thing too.
> >> What about packet too big ?
> >>
> >> In fact, Internet Control Message Protocol sounds a lot to control :)
> >>
> >> -Carlos
> >>
> >> Paul Negron @ 10/11/2010 14:21 -0300 dixit:
> >>> I apologize, I meant to state:
> >>>
> >>>> IGMP packets are used to create state on the Router that receives
> them.
> >>>> Since it is used to create state, it is a part of the Control Plane
> >>>> process.
> >>>> It joins so that trees can be built, Although it is PIM that builds
> them.
> >>>>
> >>>> ICMP is generating traffic and is not associated with building
> ANYTHING. It
> >>>> is considered Data Plane traffic. It uses paths that have already
been
> >>>> setup
> >>>> by a Control Plane Protocol, like OSPF or EIGRP or PIM for that
> matter.
> >>>
> >>> I accidentally stated ICMP twice.
> >>>
> >>> Paul
> >>
> >> --
> >> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- stop talking Blogs and organic groups at http://www.ccie.netReceived on Sun Nov 14 2010 - 19:14:39 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART