Control Plane Policing (CoPP)
Control Plane Policing or Policies (CoPP) ensures the CPU and control plane are not over-utilized which is essential for the robustness of the switch. CoPP limits the number of control plane packets.
This software implements several CoPP mechanisms:
ACLs may be used to limit the rate of packets or bytes of a certain type, including L3 control packets (L2 control packets are forwarded to the CPU before the ACL)
Policers on traffic going to the CPU—these policers are configured by the operating system and cannot be modified by the user
IP filter tables limit the traffic to the CPU coming in from the management ports
IP table filtering is a mechanism that allows the user to apply actions to a specific control packet flow identified by a certain flow key.
This mechanism is used in order to protect switch control traffic against attacks. For example, it could allow traffic coming from a specific trusted management subnet only, block the SNMP UDP port from receiving traffic, and force ping rate to be lower than a specific threshold.
Each IP table rule is defined by key, priority, and action:
Key—the key is a combination of physical port and layer 3 parameters (e.g. SIP, DIP, SPORT, DPORT, etc.), and other fields. Each part of the key, can be set to a specific value or masked.
Priority—each rule in the IP table is assigned a priority, and the rule with the highest priority whose key matches the packet executes the action.
Action—the action describes the behavior of packets which match the key. The action type may be drop, accept, rate limit, etc.
An IP-table rule is bound to an IP interface that can be a management out-of-band interface, VLAN interface, or router port interface. Once bound, all traffic received (ingress rule) or transmitted (egress rule) in this direction is being verified with all bounded rules.
Once a match was found, the rule action is executed. If no match is found, the default policy of the chain shall apply.
IP table rules get a lower priority than ACL mechanism.
In the rare case that IP filter is used while the input policy is "drop" (i.e., ip filter chain input policy drop) and an NTP server or an MLAG switch is used, then the following rule needs to be added that allows src-ip 127.0.0.1 (which is a requirement for any clustered application (e.g., mlag-vip) and NTP):
ip filter chain input rule append tail target accept dup-delete source-addr 127.0.0.1 /32
Configuring IP Table Filtering
Prerequisite for IPv6:
switch
(config) # ipv6 enable
To configure IPv4 table filtering:
Select the policy that applies to the input/output chain (default is “accept”). Run:
switch
(config)# ip filter chain input policy dropswitch
(config)# ip filter chain output policy acceptAppend filtering rules to the list or set a specific rule number, select a target, and (optional) any additional filter conditions. For example, run:
switch
(config) # ip filter chain input rule append tail target rate-limit2
protocol udpswitch
(config) # ip filter chain input rule set2
target drop protocol icmp in-intf mgmt1switch
(config) # ip filter chain output rule append tail target drop protocol icmpEnable IP table filtering. Run:
switch
(config) # ip filter enableVerify IP table filtering configuration. Run:
switch
(config) # show ip filter configured Packet filteringfor
IPv4: enabled IPv4 configuration: Chain'input'
Policy'accept'
: Rule1
: Target : rate-limit2
pps Protocol : udp Source : all Destination : all Interface : all State : any Other Filter: - Rule2
: Target : drop Protocol : icmp Source : all Destination : all Interface : mgmt1 (ingress) State : any Other Filter: - Chain'output'
Policy'accept'
: Rule1
: Target : drop Protocol : icmp Source : all Destination : all Interface : all State : any Other Filter: -
Modifying IP Table Filtering
To modify IP table filtering configuration:
switch
(config) # ip filter chain input rule modify 3
target reject-with icmp6-adm-prohibited source-addr 10
::0
/126
To delete an existing IP table filtering rule:
switch
(config) # no ip filter chain input rule 2
To delete all existing IP table filtering rules:
switch
(config) # no ip filter chain output rule all
To insert an IP table filtering rule in a chain:
switch
(config) # ip filter chain input rule 2
set target drop protocol tcp dest-port 22
in-intf mgmt1
Rate-Limit Rule Configuration
Using a rate-limit target allows to create a rule to limit the rate of certain traffic types. The limit is specified in packets per second (pps) and can be anywhere between 1-1000 pps. When enabled, the system takes the user specified rate and converts it into units of 1/10000 of a second. Therefore, any value greater than 100 can have a slight difference when the rule is displayed using the show command.
Unlike other rules which are a match type of rule, limiting packets should be followed by a rule that drops additional packets of the same “type”. Alternatively, this can be implicitly achieved by setting the chain policy to “drop” so that it drops packets not processed by matching rules. Otherwise, no effect of the rule is observed as the remaining traffic simply gets accepted.
Rate-limit is implemented with an average rate and a burst-limit. Rate values are specified in pps and take a range from 1-1000 pps. For rate values in the range 1-100, the burst value is set equal to the rate value. For rate values in the range 101-1000, the burst limit is set to 100.
IP Table Filtering Default Rules
IP table filtering is enabled and Firewall default IP filter rules are applied.
To reset/apply default rules on system, run the command “ip filter reset-to-default-rules”
To enable IP Filter, run the command “ip filter enable”
To list the default firewall rules, run the command “show ip filter”
Note when touching a default rule (delete/move/modify) all IP Filter rules will be reflected on “show running-config”, to restore default rules, run the command “ip filter reset-to-default-rules”
Restoring factory default configuration will reset the default rules and enable the feature
Firewall Default Rules
Prerouting-Mangle Chain Rules |
|
Input Chain Rules |
|
Output Chain Rules |
|
Logging Chain Rules |
|
ip filter enable | ipv6 filter enable
{ip | ipv6} filter enable Enables IP filtering. | ||
Syntax Description | N/A | |
Default | ip Enabled | |
Configuration Mode | config | |
History | 3.5.1000 | |
Example | switch (config) # ip filter enable | |
Related Commands | ||
Notes | It is recommended to run this command only after configuring all of the IP table filter parameters. |
ip filter chain policy | ipv6 filter chain policy
{ip | ipv6} filter chain <chain_name> policy {accept | drop} Configures default policy for a specific chain (if no rule matches this default policy action shall apply). | ||
Syntax Description | chain_name | Selects a chain for which to add or modify a filter:
|
accept | Accepts all traffic by default for this chain | |
drop | Drops all traffic by default for this chain | |
Default | Accept for input and output chains | |
Configuration Mode | config | |
History | 3.5.1000 | |
Example | switch (config) # ipv6 filter chain input policy accept | |
Related Commands | ||
Notes |
ip filter chain rule target | ipv6 filter chain rule target
{ip | ipv6} filter chain <chain_name> rule <oper> target <target> [<param>] Inserts rule before specified rule number. | ||
Syntax Description | chain_name | A chain to which to add or modify a filter:
|
rule |
| |
target |
| |
param |
| |
param4 (cont.) |
| |
Default | N/A | |
Configuration Mode | config | |
History | 3.5.1000 | |
Example | switch (config) # ipv6 filter enable chain input rule append tail target drop state related protocol all dup-delete | |
Related Commands | ||
Notes |
|
ip filter options include-bridges
{ip | ipv6} filter options include-bridges Applies IP filters to bridges | ||
Syntax Description | N/A | |
Default | Disabled | |
Configuration Mode | config | |
History | 3.5.1000 | |
Example | switch (config) # ip filter options include-bridges | |
Related Commands | ||
Notes |
ip filter reset-to-default-rules
ip filter reset-to-default-rules Deletes all configured IP filter rules and add the default rules defined in the user manual under section "IP Table Filtering Default Rules", above. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config | |
History | 3.10.3000 | |
Example | switch (config) # ip filter reset-to-default-rules | |
Related Commands | ||
Notes |
show ip filter
show ip filter Displays IPv4 filtering state. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config | |
History | 3.6.6000 | |
Example |
| |
Related Commands | ||
Notes |
show ip filter all
show ip filter all Displays IPv4 filtering state (including un-configured rules). | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config | |
History | 3.6.6000 | |
Example |
| |
Related Commands | ||
Notes |
show ip filter configured
show ip filter configured Displays IPv4 filtering configuration. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config | |
History | 3.6.6000 | |
Example |
| |
Related Commands | ||
Notes |
show ipv6 filter
show ipv6 filter Displays IPv6 filtering state. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config | |
History | 3.6.6000 | |
Example |
| |
Related Commands | ||
Notes |
show ipv6 filter all
show ipv6 filter all Displays IPv6 filtering state (including un-configured rules). | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config | |
History | 3.6.6000 | |
Example |
| |
Related Commands | ||
Notes |
show ipv6 filter configured
show ipv6 filter configured Displays IPv6 filtering configuration. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config | |
History | 3.6.6000 | |
Example |
| |
Related Commands | ||
Notes |