CoPP on a router

First I create the access lists that determine what I want to control or have access to. Notice that there are multiple access lists. I define each “function” so I can control the bandwidth of it. Below I have access lists for Routing, Management, Undesirable, and the remaining (DEFAULT access list) traffic.
ip access-list extended ROUTING
 remark Allow EIGRP Routing
 permit eigrp any 192.168.255.0 0.0.0.3
 permit eigrp any host 224.0.0.10
ip access-list extended MANAGEMENT
 remark Allow SSH
 permit tcp 10.136.3.0 0.0.0.255 10.136.6.0 0.0.0.255 eq 22
 permit tcp 10.136.3.0 0.0.0.255 eq 22 10.136.6.0 0.0.0.255 established
 remark Allow SNMP
 permit udp 10.136.3.0 0.0.0.255 10.136.6.0 0.0.0.255 eq snmp
 remark Allow NTP
 permit udp 10.136.3.0 0.0.0.255 10.136.6.0 0.0.0.255 eq ntp
 remark Allow ICMP
 permit icmp any 10.136.6.0 0.0.0.255 echo
 permit icmp any 10.136.6.0 0.0.0.255 echo-reply
 permit icmp any 10.136.6.0 0.0.0.255 ttl-exceeded
 permit icmp any 10.136.6.0 0.0.0.255 packet-too-big
 permit icmp any 10.136.6.0 0.0.0.255 port-unreachable
 permit icmp any 10.136.6.0 0.0.0.255 unreachable
ip access-list extended UNDESIRABLE
 permit icmp any any fragments
 permit udp any any fragments
 permit tcp any any fragments
 permit ip any any fragments
 permit udp any any eq 1434
 permit tcp any any eq 639 rst
ip access-list extended DEFAULT
 permit tcp any any
 permit udp any any
 permit icmp any any
 permit ip any any

Next we’ll configure the class map. We match all the ACLs we created above
class-map match-all Catch-All
 match access-group name DEFAULT
class-map match-all Management
 match access-group name MANAGEMENT
class-map match-all Undesirable
 match access-group name UNDESIRABLE
class-map match-all Routing
 match access-group name ROUTING

Now we configure a policy map. The policy map matches the class map (which matches an ACL) and then we set what we want each class to do. In this case we will be policing the traffic
policy-map RTR_CoPP
 class Undesirable
 police 8000 1500 1500 conform-action drop exceed-action drop
class Routing
 police 1000000 50000 50000 conform-action transmit exceed-action transmit
 class Management
police 100000 20000 20000 conform-action transmit exceed-action drop
 class Catch-All
 police 50000 5000 5000 conform-action transmit exceed-action drop
class class-default
 police 8000 1500 1500 conform-action transmit exceed-action transmit

Finally, apply the policy to the control plane
Router(config)# control-plane
Router(config-cp)# service-policy input RTR_CoPP

Now that we have configured control plane traffic, we have one more step to make sure we can get to our systems when the network is going crazy. We want to make sure that we can enter commands, view logs, etc. To do that we have to configure the system to give us some CPU time.
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

These are rough settings (per Cisco) but should work well as a starting point.

Leave a Reply

Your email address will not be published. Required fields are marked *