Jan
27

One of my student friends from Cisco RTP suggested a great weekly addition to our blog – a sample task from a Mock Lab to challenge the blog faithful. Cool idea! Love it! To not spoil your fun when taking our Mock Labs, these tasks have been written special so that there is no carryover.

My first installment is a topic that could easily appear on either the R/S Lab or the Security Lab. Enjoy! You are more than welcome to post your suggested solution in the comments. I will wait a week and then post a solution in there myself – along with some explanation text. If you enjoy this new blog installment, you should check out our products, because they are even better! :-)

Here we go!

8.0 Security

8.1 DoS Protection

You are concerned about DoS attacks against a key perimeter router in your company. Configure R1 so that it limits the aggregate rate of ARP traffic toward the route processor to 75 packets per second. Routing control traffic marked with an IP Precedence value of 6 should be limited to 100 packets per second.

2 points

NOTE: The solution and walkthrough are posted in the comments below dated February 6, 2009. Once again, this is a fraction of what you receive in our products!


You can leave a response, or trackback from your own site.

12 Responses to “Cisco R/S and Security Lab Exam Challenge – DoS Protection”

 
  1. NTllect says:

    Hi!

    !
    class-map match-all RP
    match ip precedence 6
    class-map match-all ARP
    match protocol arp
    !
    !
    policy-map CoPP
    class ARP
    police rate 75 pps
    class RP
    police rate 100 pps
    !
    control-plane
    !
    service-policy input CoPP
    !

  2. Bobby says:

    Hi,

    This would be the configuration that I would use:-

    ip cef

    class-map match-all IPPREC6
    match ip precedence 6

    class-map match-all ARP
    match protocol arp

    policy-map CoPP
    class ARP
    police rate 75 pps
    conform-action transmit
    exceed-action drop
    class IPPREC6
    police rate 100 pps
    conform-action transmit
    exceed-action drop

    control-plane
    service-policy input CoPP

  3. Deependra Malla says:

    class-map match-all Critical
    match precedence 6
    class-map match-all ARP
    match protocol arp
    !
    policy-map Security
    class ARP
    police rate 75 pps
    exceed-action drop
    violate-action drop
    class Critical
    police rate 100 pps
    exceed-action drop
    violate-action drop
    class class-default
    !
    control-plane
    service-policy input Security

  4. Jeff says:

    Without knowing with routing protocol(s) is/are running, and not being able to clarify if the 100 pps is unclusive of multiple protocols I would use this config:

    ip cef
    !
    ip access-list extended CoPP_BGP
    remark — permit BGP –
    permit tcp any eq bgp any
    permit tcp any any eq bgp
    !
    ip access-list extended CoPP_IGP
    remark — permit EIGRP –
    permit eigrp any any
    remark — permit OSPF –
    permit ospf any any
    remark — permit RIP –
    permit udp any eq rip any
    permit udp any any eq rip
    !
    class-map match-all ARP
    match protocol arp
    !
    class-map match-all BGP
    match access-group name CoPP_BGP
    match ip precedence 6
    !
    class-map match-all IGP
    match access-group name CoPP_IGP
    match ip precedence 6
    !
    !
    policy-map CoPP
    class ARP
    police rate 75 pps
    conform-action transmit exceed-action drop
    class BGP
    police rate 100 pps
    conform-action transmit exceed-action drop
    !
    class IGP
    police rate 100 pps
    conform-action transmit exceed-action drop
    !
    !
    control-plane
    service-policy input CoPP
    !

  5. Frost says:

    ip access-list extended Routing-Protocols
    permit ospf any any
    permit tcp any eq bgp any
    permit tcp any any eq bgp
    permit eigrp any any
    permit udp any any eq rip
    permit udp any eq rip any

    class-map match-all ARP
    match protocol arp

    class-map match-all Routing-Protocols-6
    match ip precedence 6
    match access-group name Routing-Protocols

    policy-map cpp
    class ARP
    police rate 75 pps conform-action transmit exceed-action drop
    class Routing-Protocols-6
    police rate 100 pps confirm-action transmit exceed-action drop

    control-plane
    service-policy input cpp

  6. Jeff says:

    Frost,

    I like the way you grouped IGPs and BGP together; that meets the the requirements better than my solution…

  7. Carlos Yoncon says:

    Think this sounds paranoic, but anyway
    Assuming that ODR can be considered a routing protocol, then we should add another filtering.

    I think first step before jumping into the solution would be “äsking the proctor” about the assumption of all routing protocols being marked with ip prec 6. That would ease the details of the solution.

  8. Jeff says:

    Hrm…ODR is passed thru CDP frames; are they marked with IP precedence?

  9. Carlos Yoncon says:

    Hey Jeff, exactly thats my point, it L2 beeing used as routing protocol, with no IP Prec. Thats why, and maybe you can correct me, this is a good example of go-ask-the-proctor type of task.

  10. Jeff says:

    I would consider ODR an exception to the requirement in this particular instance.

    But, hopefully he will chime in with some insight when he posts his solution… :)

  11. The Solution Configuration:

    R1:
    class-map CM_ARP
    match protocol arp
    !
    class-map CM_ROUTING
    match ip precedence 6
    !
    policy-map PM_COPP
    class CM_ARP
    police rate 75 pps
    class CM_ROUTING
    police rate 100 pps
    !
    !
    control-plane
    service-policy input PM_COPP

    Critical Verification Commands:
    show policy-map control-plane

    Control plane policing (CoPP) allows you to control the rate for traffic destined to or originated from the router process. This traffic includes all process-switched traffic, such as IP packets with options or packets logged by an access-list. Other types of traffic directed to the router process include routing updates, Telnet sessions, and any other traffic directed to the router itself.

    The router may generate outgoing traffic, including ICMP responses, returning Telnet session traffic, outgoing IGP/BGP updates, outgoing Telnet sessions, etc.

    In order to control this traffic, you need to define traffic classes using MQC syntax and apply a special control-plane policy-map. The only applicable policy-map actions are “drop” or “police”. For classification, you may use an IP access-list with DSCP/IP precedence matching. Additionally, you can match protocol ARP directly in the class-maps. Do not try to use NBAR to classify the control plane traffic, for it may have unpredictable results.

    For the “police” action, CPP supports a unique packet-per-second rate-limiting feature. Using the command police rate pps you can specify the aggregate rate for a class in packets per second. You can optionally specify the burst size (amount of packets received instantly) if you need to fine-tune your configuration. Note that this feature only works with CoPP policy-maps.

    DOC-CD Location:
    Cisco IOS Software – 12.4 Family – 12.4 Mainline – C.G. -Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4 – Part 4: Policing and Shaping – Configuring Traffic Policing – Control Plane Policing

  12. Peter says:

    Hi,

    Wouldnt control plane protection suffice.

    we can apply the policing for arp on the cef exception subinterface.
    and then apply the policing for routing protocol traffic to the host subinterface.

 

Leave a Reply

Categories

CCIE Bloggers