Control Plane Policing

Control Plane Policing or Policies (CoPP) ensures the CPU and control plane are not over-utilized which is essential for the robustness of the switch. CoPP limits the number of control plane packets. Onyx implements several CoPP mechanisms:

  • ACLs may be used to limit the rate of packets or bytes of a certain type, including L3 control packets (L2 control packets are forwarded to the CPU before the ACL)

  • Policers on traffic going to the CPU—these policers are configured by Onyx and cannot be modified by the user

  • IP filter tables limit the traffic to the CPU coming in from the management ports

IP table filtering is a mechanism that allows the user to apply actions to a specific control packet flow identified by a certain flow key.

This mechanism is used in order to protect switch control traffic against attacks. For example, it could allow traffic coming from a specific trusted management subnet only, block the SNMP UDP port from receiving traffic, and force ping rate to be lower than a specific threshold.
Each IP table rule is defined by key, priority, and action:

  • Key—the key is a combination of physical port and layer 3 parameters (e.g. SIP, DIP, SPORT, DPORT, etc.), and other fields. Each part of the key, can be set to a specific value or masked.

  • Priority—each rule in the IP table is assigned a priority, and the rule with the highest priority whose key matches the packet executes the action.

  • Action—the action describes the behavior of packets which match the key. The action type may be drop, accept, rate limit, etc.

An IP-table rule is bound to an IP interface that can be a management out-of-band interface, VLAN interface, or router port interface. Once bound, all traffic received (ingress rule) or transmitted (egress rule) in this direction is being verified with all bounded rules.

Once a match was found, the rule action is executed. If no match is found, the default policy of the chain shall apply.

Warning

IP table rules get a lower priority than ACL mechanism.

Warning

In the rare case that IP filter is used while the input policy is "drop" (i.e., ip filter chain input policy drop) and an NTP server or is used, then the following rule needs to be added that allows src-ip 127.0.0.1 (which is a requirement for any clustered application and NTP):

ip filter chain input rule append tail target accept dup-delete source-addr 127.0.0.1 /32

Configuring IP Table Filtering

Prerequisite for IPv6:

Copy
Copied!
            

switch (config) # ipv6 enable

To configure IPv4 table filtering:

  1. Select the policy that applies to the input/output chain (default is “accept”). Run:

    Copy
    Copied!
                

    switch (config)# ip filter chain input policy drop switch (config)# ip filter chain output policy accept

  2. Append filtering rules to the list or set a specific rule number, select a target, and (optional) any additional filter conditions. For example, run:

    Copy
    Copied!
                

    switch (config)# ip filter chain input rule append tail target rate-limit 2 protocol udp switch (config)# ip filter chain input rule set 2 target drop protocol icmp in-intf mgmt1 switch (config)# ip filter chain output rule append tail target drop protocol icmp

  3. Enable IP table filtering. Run:

    Copy
    Copied!
                

    switch (config) # ip filter enable

  4. Verify IP table filtering configuration. Run:

    Copy
    Copied!
                

    switch (config) # show ip filter configured   Packet filtering for IPv4: enabled   IPv4 configuration: Chain 'input' Policy 'accept': Rule 1: Target : rate-limit 2 pps Protocol : udp Source : all Destination : all Interface : all State : any Other Filter: -   Rule 2: Target : drop Protocol : icmp Source : all Destination : all Interface : mgmt1 (ingress) State : any Other Filter: -   Chain 'output' Policy 'accept': Rule 1: Target : drop Protocol : icmp Source : all Destination : all Interface : all State : any Other Filter: -

Modifying IP Table Filtering

To modify IP table filtering configuration:

Copy
Copied!
            

switch (config) # ip filter chain input rule modify 3 target reject-with icmp6-adm-prohibited source-addr 10::0 /126

To delete an existing IP table filtering rule:

Copy
Copied!
            

switch (config) # no ip filter chain input rule 2

To delete all existing IP table filtering rules:

Copy
Copied!
            

switch (config) # no ip filter chain output rule all

To insert an IP table filtering rule in a chain:

Copy
Copied!
            

switch (config) # ip filter chain input rule 2 set target drop protocol tcp dest-port 22 in-intf mgmt1

Rate-Limit Rule Configuration

Using a rate-limit target allows to create a rule to limit the rate of certain traffic types. The limit is specified in packets per second (pps) and can be anywhere between 1-1000 pps. When enabled, the system takes the user specified rate and converts it into units of 1/10000 of a second. Therefore, any value greater than 100 can have a slight difference when the rule is displayed using the show command.

Unlike other rules which are a match type of rule, limiting packets should be followed by a rule that drops additional packets of the same “type”. Alternatively, this can be implicitly achieved by setting the chain policy to “drop” so that it drops packets not processed by matching rules. Otherwise, no effect of the rule is observed as the remaining traffic simply gets accepted.

Warning

Rate-limit is implemented with an average rate and a burst-limit. Rate values are specified in pps and take a range from 1-1000 pps. For rate values in the range 1-100, the burst value is set equal to the rate value. For rate values in the range 101-1000, the burst limit is set to 100.

ip filter enable | ipv6 filter enable

{ip | ipv6} filter enable
no {ip | ipv6} filter enable

Enables IP filtering.
The no form of the command disables IP filtering.

Syntax Description

N/A

Default

Disabled

Configuration Mode

config

History

3.5.1000

Example

switch (config) # ip filter enable

Related Commands

Notes

It is recommended to run this command only after configuring all of the IP table filter parameters.

ip filter chain policy | ipv6 filter chain policy

{ip | ipv6} filter chain <chain_name> policy {accept | drop}
no {ip | ipv6} filter chain <chain_name> policy

Configures default policy for a specific chain (if no rule matches this default policy action shall apply).
The no form of the command resets default policy for a specific chain.

Syntax Description

chain_name

Selects a chain for which to add or modify a filter:

  • input –input chain or ingress interfaces

  • output –output chain or egress interfaces

accept

Accepts all traffic by default for this chain

drop

Drops all traffic by default for this chain

Default

Accept for input and output chains

Configuration Mode

config

History

3.5.1000

Example

switch (config) # ipv6 filter chain input policy accept

Related Commands

Notes

ip filter chain rule target | ipv6 filter chain rule target

{ip | ipv6} filter chain <chain_name> rule <oper> target <target> [<param>]
no {ip | ipv6} filter chain <chain_name> rule {<number> | all}

Inserts rule before specified rule number.
The no form of the command deletes rule for a specific chain.

Syntax Description

chain_name

A chain to which to add or modify a filter:

  • input –input chain or ingress interfaces

  • output –output chain or egress interfaces

rule

  • append tail –appends operation to the bottom of operation list

  • insert <oper_num> –inserts operation at specified position (existing operation at that position moves back in the list)

  • modify <oper_num> –modifies existing operation at specified position. Only the parameters specified in this invocation are altered; everything else is left untouched.

  • move <oper_num1> to <oper_num2> –moves one operation to another place in the operation list

  • set <oper_num> –sets operation at specified position (overwrites existing)

target

  • accept –allows the packets that match the rule into the management plane

  • drop –drops packets that match the rule

  • rate-limit –allows with rate limiting in packets per sec (PPS)

  • reject-with –drops the packet and replies with an ICMP error message

param

  • comment <text> –specifies description string for this rule (60 chars max)

  • dest-addr <ip> –IP matching a specific destination address or address range. A specific IPv4 address can be provided or an entire subnet by giving an address along with netmask in dot notation or as a CIDR notation (e.g.
    /24).

  • not-dest-addr <ip> –IP not matching a specific destination address range

  • dest-port <port(s)> –matching a specific destination port or port range

  • not-dest-port <port(s)> –port not matching a specific destination port or port range

  • dup-delete –deletes any preexisting duplicates of this rule

  • in-intf –interface matching a specific inbound interface

  • not-in-intf <if_name> –interface not matching a specific inbound interface

  • out-intf <if_name> –matches a specific outbound interface

  • not-out-intf <if_name> –interface not matching a specific outbound interface

param4 (cont.)

  • protocol <if_name> –matches a specific protocol

  • tcp

  • udp

  • icmp

  • all

  • not-protocol <protocol> –does not match a specific protocol

  • tcp

  • udp

  • icmp

  • all

  • source-addr <ip> –matches a specific source address range

  • not-source-addr <ip> –does not match a specific source address range

  • source-port <port(s)> –matches a specific source port or port range

  • not-source-port <port(s)> –does not match a specific source port or port range

  • state –matches packets in a particular state. Possible values:

  • established –packet associated with an established connection which has seen traffic in both directions

  • related –packet that starts a new connection but is related to an existing connection

  • new –packet that starts a new, unrelated connection

  • A combination can be entered separated by commas

Default

N/A

Configuration Mode

config

History

3.5.1000

Example

switch (config) # ipv6 filter enable chain input rule append tail target drop state related protocol all dup-delete

Related Commands

Notes

  • The source and destination ports may each be either a single number, or a range specified as “<low>-<high>”. For example: “10-20” would specify ports 10 through 20 (inclusive).

  • The port parameter only works in conjunction with TCP and UDP

  • Setting a “positive” rule removes any corresponding “not-” rules, and vice-versa

  • The “state” parameter is a classification of the packet relative to existing connections

  • If TCP or UDP are selected for the “protocol” parameter, source and/or destination ports may be specified. If ICMP is selected, these options are either ignored, or an error is produced.

ip filter options include-bridges

{ip | ipv6} filter options include-bridges
no {ip | ipv6} filter options include-bridges

Applies IP filters to bridges

Syntax Description

N/A

Default

Disabled

Configuration Mode

config

History

3.5.1000

Example

switch (config) # ip filter options include-bridges

Related Commands

Notes

show ip filter

show ip filter

Displays IPv4 filtering state.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ip filter

Packet filtering for IPv4: enabled

Active IPv4 filtering rules (omitting any not from configuration):
Chain 'input' Policy 'accept':
Rule 1:
Target : accept
Protocol : all
Source : all
Destination : 1.1.1.0/24
Interface : all
State : any
Other Filter: -

Chain 'output' Policy 'accept':
Rule 1:
Target : reject-with icmp-net-unreachable
Protocol : tcp
Source : all
Destination : all
Interface : all
State : any
Other Filter: dest-port 1000

Related Commands

Notes

show ip filter all

show ip filter all

Displays IPv4 filtering state (including un-configured rules).

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

Destination : 1.1.1.0/24
Interface : all
State : any
Other Filter: -

Chain 'output' Policy 'accept':
Rule 1:
Target : reject-with icmp-net-unreachable
Protocol : tcp
Source : all
Destination : all
Interface : all
State : any
Other Filter: dest-port 1000

Related Commands

Notes

show ip filter configured

show ip filter configured

Displays IPv4 filtering configuration.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ip filter configured

Packet filtering for IPv4: enabled

IPv4 configuration:
Chain 'input' Policy 'accept':
Rule 1:
Target : accept
Protocol : all
Source : all
Destination : 1.1.1.0/24
Interface : all
State : any
Other Filter: -

Chain 'output' Policy 'accept':
Rule 1:
Target : reject-with icmp-net-unreachable
Protocol : tcp
Source : all
Destination : all
Interface : all
State : any
Other Filter: dest-port 1000

Related Commands

Notes

show ipv6 filter

show ipv6 filter

Displays IPv6 filtering state.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ipv6 filter

Packet filtering for IPv6: enables

Active IPv6 filtering rules (omitting any not from configuration):
Chain 'input' Policy 'accept':
Rule 1:
Target : accept
Protocol : all
Source : all
Destination : 1.1.1.0/24
Interface : all
State : any
Other Filter: -

Chain 'output' Policy 'accept':
Rule 1:
Target : reject-with icmp-net-unreachable
Protocol : tcp
Source : all
Destination : all
Interface : all
State : any
Other Filter: dest-port 1000

Related Commands

Notes

show ipv6 filter all

show ipv6 filter all

Displays IPv6 filtering state (including un-configured rules).

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ipv6 filter all

Packet filtering for IPv6: enables

All active IPv6 filtering rules:
Chain 'input' Policy 'accept':
Rule 1:
Target : accept
Protocol : all
Source : all
Destination : 1.1.1.0/24
Interface : all
State : any
Other Filter: -

Chain 'output' Policy 'accept':
Rule 1:
Target : reject-with icmp-net-unreachable
Protocol : tcp
Source : all
Destination : all
Interface : all
State : any
Other Filter: dest-port 1000

Related Commands

Notes

show ipv6 filter configured

show ipv6 filter configured

Displays IPv6 filtering configuration.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ipv6 filter configured

Packet filtering for IPv6: enables

IPv6 configuration:
Chain 'input' Policy 'accept':
Rule 1:
Target : accept
Protocol : all
Source : all
Destination : 1.1.1.0/24
Interface : all
State : any
Other Filter: -

Chain 'output' Policy 'accept':
Rule 1:
Target : reject-with icmp-net-unreachable
Protocol : tcp
Source : all
Destination : all
Interface : all
State : any
Other Filter: dest-port 1000

Related Commands

Notes

© Copyright 2023, NVIDIA. Last updated on Sep 8, 2023.