Detections
Analytics

4.1.1 Control Plane Policing

Information

This sequence describes configuring Control plane policing (COPP)

Control Plane Policing prevents flooding of certain types of packets from overloading the switch or module CPU by either rate-limiting or dropping packets.

The switch software provides several configurable classes of packets that can be rate-limited, including (but not limited to) ARP broadcasts, multicast, routing protocols (BGP, OSPF), and spanning tree. CoPP is always active and cannot be disabled.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Syntax:

switch# config
switch(config)# copp-policy test_1
switch(config-copp)# class <class> ?
 drop Drop packets matching this class
 factory-default Set this class to factory default configuration
 priority Specify the priority for this class

switch(config-copp)# class <class> drop ?

switch(config-copp)# class <class> factory-default ?

switch(config-copp)# class <class> priority ?
 <0-6> The priority for this class
switch(config-copp)# class <class> priority <0-6> ?
 rate Specify the rate for this class
switch(config-copp)# class <class> priority <priority> rate ?
 <25-99999> The rate for this class in units of packets per second
switch(config-copp)# class <class> priority <priority> rate <rate> ?
 burst Specify the burst for this class
 <cr>
switch(config-copp)# class <class> priority <priority> rate <rate> burst ?
 <1-9999> The burst for this class in units of packets
switch(config-copp)# class <class> priority <0-6> rate <25-99999> burst <1-9999> ?
<cr>
switch(config-copp)# exit
switch(config)#

Example:

6300# config
6300(config-copp)# copp-policy test_1
6300(config-copp)# class acl-logging priority 1 rate 50 burst 100
6300(config-copp)# default-class priority 2 rate 4225 burst 528
6300(config-copp)# exit
6300(config)# exit
6300#

Impact:

CoPP is crucial for protecting the control plane and preventing network outages. It does, however, require careful configuration and monitoring to avoid unintended side effects. Misconfiguration can lead to performance degradation, network disruptions, and management issues, such as:

 - Excessive Policing: Overly restrictive CoPP policies can drop legitimate control plane traffic, leading to delayed or lost routing updates, impaired management access, and potentially impacting network performance.
 - CPU Cycle Consumption: If not configured effectively it can consume CPU cycles.
 - Slow or Unresponsive CLI Sessions: High CPU utilization or resource exhaustion caused by excessive traffic to the control plane can make interactive sessions via the command-line interface (CLI) slow or unresponsive.
 - Route Flaps: Excessive policing of line protocol keepalives or routing protocol updates (like BGP or OSPF updates) can lead to unstable routing, route flaps, neighbor adjacency flaps or timeouts, causing network instability.
 - Resource Exhaustion: A poorly configured CoPP policy could lead to route processor resource exhaustion, resulting in resources like memory and buffers becoming unavailable for legitimate IP data packets.
 - Unintended Errors: Incorrectly configured CoPP policies can lead to unintended consequences, such as blocking legitimate traffic or failing to adequately protect the control plane.

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-7, 800-53|SC-4, CSCv7|13.3

Plugin: ArubaOS

Control ID: f91fbf51d06e9a715eea8b118cf4e213c20b9c9f23051cacaf938236eba1f20d