Since this maps to so many certs, I thought I might share my work on this
one with GS. Hope you enjoy.
Relevant Certifications:
CCNA Security, CCNP Security, CCIE R&S, CCIE Security
Documentation Path Used:
Cisco.com - Support - All Products - IOS and NX-OS - Cisco IOS - 15S - 15.2S
- Configuration Guides - Quality of Service Solutions Configuration Guide -
QoS: Policing and Shaping Configuration Guide, Cisco IOS Release 15.2S -
Control Plane Policing
The Feature:
Control Plane Policing (CoPP) permits the use of a QoS filter to manage the
flow of control plane packets in order to help protect routers and switches
from potentially devastating denial-of-service attacks. CoPP uses the MQC
approach to configuration. With this feature, the control plane (CP) is
treated as a separate entity with its own ingress and egress ports. You can
think of these like input and output ports on a router.
My Practice Task:
7.1 Control Plane Security
R6-S0/2/0----------S0/2/0-R9
Ensure that ICMP ping traffic sourced from R99s Lo0 interface is limited to
64 Kbps. All other ping traffic should be dropped. Ensure that all ICMP
port-unreachables are dropped by R6 should these messages be sourced from
any interface other than S0/2/0. Permitted port-unreachables should be
limited to 12 Kbps.
3 points
Initial Configurations:
R6:
hostname R6
!
interface Loopback0
ip address 192.168.6.6 255.255.255.0
!
interface Serial0/2/0
ip address 48.48.106.6 255.255.255.0
shutdown
clock rate 2000000
!
router eigrp 100
network 48.0.0.0
network 192.168.9.0
no auto-summary
!
end
R9:
hostname R9
!
interface Loopback0
ip address 192.168.9.9 255.255.255.0
!
interface Serial0/2/0
ip address 48.48.106.9 255.255.255.0
!
router eigrp 100
network 48.0.0.0
network 192.168.9.0
no auto-summary
end
My Solution:
First, I want to ensure reachability between these devices. Specifically, I
need to ensure that pings sourced from the loopback 0 interface of R9 can
reach R6.
INITIAL VERIFICATIONS
R9#ping 48.48.106.6 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.9.9
.....
Success rate is 0 percent (0/5)
R9#
Darn. Well, no real surprise there. The troubleshooting steps below reveal
the issue. R6 possesses an interface in the shutdown state, and an incorrect
network statement in EIGRP.
R9#show ip prot
Routing Protocol is "eigrp 100"
...
R9#show ip int brief
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 unassigned YES unset administratively down
down
FastEthernet0/1 unassigned YES unset administratively down
down
Serial0/2/0 48.48.106.9 YES manual down
down
Serial0/2/1 unassigned YES unset administratively down
down
Loopback0 192.168.9.9 YES manual up
up
R9#
R9#show run | section eigrp
router eigrp 100
network 48.0.0.0
network 192.168.9.0
no auto-summary
R9#
R6#show ip prot
Routing Protocol is "eigrp 100"
...
R6#show ip int brief
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 unassigned YES unset administratively down
down
FastEthernet0/1 unassigned YES unset administratively down
down
Serial0/1/0 unassigned YES unset administratively down
down
Serial0/2/0 48.48.106.6 YES manual administratively down
down
Serial0/2/1 unassigned YES unset administratively down
down
Loopback0 192.168.6.6 YES manual up
up
R6#
R6#show run | section eigrp
router eigrp 100
network 48.0.0.0
network 192.168.9.0
no auto-summary
R6#
INITIAL TROUBLESHOOTING REPAIR
R6(config)#int s0/2/0
R6(config-if)#no shut
R6(config-if)#
*Nov 1 02:42:59.133: %LINK-3-UPDOWN: Interface Serial0/2/0, changed state
to up
R6(config-if)#
*Nov 1 02:42:59.909: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor
48.48.106.9 (Serial0/2/0) is up: new adjacency
*Nov 1 02:43:00.137: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/2/0, changed state to up
R6(config-if)#router eigrp 100
R6(config-router)#no net 192.168.9.0
R6(config-router)#net 192.168.6.0
R6(config-router)#end
R6#
*Nov 1 02:43:26.453: %SYS-5-CONFIG_I: Configured from console by console
R6#
INITIAL VERIFICATIONS 2
R9#ping 48.48.106.6 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.9.9
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R9#
SOLUTION CONFIGURATION
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#ip access-list extended AL-PING
R6(config-ext-nacl)#permit icmp any any echo
R6(config-ext-nacl)#permit icmp any any echo-reply
R6(config-ext-nacl)#exit
R6(config)#ip access-list extended AL-PING-LOOP
R6(config-ext-nacl)#permit icmp host 192.168.9.9 any echo
R6(config-ext-nacl)#permit icmp host 192.168.9.9 any echo-reply
R6(config-ext-nacl)#exit
R6(config)#ip access-list extended AL-UNREACHABLE
R6(config-ext-nacl)#permit icmp any any port-unreachable
R6(config-ext-nacl)#exit
R6(config)#ip access-list extended AL-UNREACH-R9
R6(config-ext-nacl)#permit icmp host 48.48.106.9 any port-unreachable
R6(config-ext-nacl)#exit
R6(config)#class-map CM-PING
R6(config-cmap)#match access-group name AL-PING
R6(config-cmap)#exit
R6(config)#class-map CM-PING-LOOP
R6(config-cmap)#match access-group name AL-PING-LOOP
R6(config-cmap)#exit
R6(config)#class-map CM-UNREACHABLE
R6(config-cmap)#match access-group name AL-UNREACHABLE
R6(config-cmap)#exit
R6(config)#class-map CM-UNREACH-R9
R6(config-cmap)#match access-group name AL-UNREACH-R9
R6(config-cmap)#exit
R6(config)#policy-map PM-COPP
R6(config-pmap)#class CM-PING-LOOP
R6(config-pmap-c)#police 64000
R6(config-pmap-c-police)#exit
R6(config-pmap-c)#exit
R6(config-pmap)#class CM-PING
R6(config-pmap-c)#drop
R6(config-pmap-c)#exit
R6(config-pmap)#class CM-UNREACH-R9
R6(config-pmap-c)#police 12000
R6(config-pmap-c-police)#exit
R6(config-pmap-c)#exit
R6(config-pmap)#class CM-UNREACHABLE
R6(config-pmap-c)#drop
R6(config-pmap-c)#exit
R6(config-pmap)#exit
R6(config)#control-plane
R6(config-cp)#service-policy input PM-COPP
R6(config-cp)#end
R6#
*Nov 1 03:12:01.036: %CP-5-FEATURE: Control-plane Policing feature enabled
on Control plane aggregate path
R6#
*Nov 1 03:12:02.168: %SYS-5-CONFIG_I: Configured from console by console
R6#
FINAL VERIFICATION
R9#ping 48.48.106.6 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.9.9
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R9#ping 48.48.106.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R9#ping 48.48.106.6 source lo0 size 1500
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.9.9
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 12/13/16 ms
R9#
R6#show policy-map control-plane
Control Plane
Service-policy input: PM-COPP
Class-map: CM-PING-LOOP (match-all)
20 packets, 16080 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name AL-PING-LOOP
police:
cir 64000 bps, bc 2000 bytes
conformed 16 packets, 10064 bytes; actions:
transmit
exceeded 4 packets, 6016 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
...
CCIE Security Practice Lab Sample Task and Solution:
6.1: Control plane protection
Configure Control Plane Policing (CoPP) on R2, meeting all the following
requirements:
- Configure CoPP protection on R2, allowing ICMP pings sourced from the RFC
1918 address space only. Any ICMP packets sourced from nonprivate address
space to R2 should be dropped.
- Do not configure any parameters under the default class that matches any
packet.
- You are allowed to configure only one class-map and one policy-map to
complete this task.
4 points
SOLUTION:
R2# show policy-map control-plane
Control Plane
Service-policy input: copp
Class-map: copp (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 101
Match: not access-group 102
drop
Class-map: class-default (match-any) 877 packets, 113617 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2# show ip access-lists
Extended IP access list 101
10 permit icmp any any (274 matches)
Extended IP access list 102
10 permit icmp 10.0.0.0 0.255.255.255 any (96 matches)
20 permit icmp 172.16.0.0 0.15.255.255 any (33 matches)
30 permit icmp 192.168.0.0 0.0.255.255 any (110 matches)
Anthony Sequeira, CCIE, CCSI, VCP
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv
Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 31 2012 - 19:42:51 ART
This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:34 ART