Cisco OL-4015-08 Uživatelský manuál stáhnout pdf (Strana 24)

376

Cross-Platform Release Notes for Cisco IOS Release 12.0S

OL-1617-14 Rev. Q0

Caveats

Resolved Caveats—Cisco IOS Release 12.0(33)S7

Control Plane Policing (CoPP) can be used to block untrusted UDP traffic to the device. Cisco IOS

software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can

be configured on a device to help protect the management and control planes and minimize the risk

and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that

is sent to infrastructure devices in accordance with existing security policies and configurations. The

CoPP example below should be included as part of the deployed CoPP, which will help protect all

devices with IP addresses in the infrastructure IP address range.

! Feature: Network Time Protocol (NTP).

access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD any eq 123

! Deny NTP traffic from all other sources destined to the device control plane.

access-list 150 permit udp any any eq 123

! Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 traffic in accordance with

existing security policies and configurations for traffic that is authorized to be sent to infrastructure

devices. Create a Class-Map for traffic to be policed by the CoPP feature.

class-map match-all drop-udp-class match access-group 150

! Create a Policy-Map that will be applied to the Control-Plane of the device.

policy-map drop-udp-traffic class drop-udp-class drop

! Apply the Policy-Map to the Control-Plane of the device.

control-plane service-policy input drop-udp-traffic

In the above CoPP example, the access control list entries (ACEs) that match the potential exploit

packets with the “permit” action result in these packets being discarded by the policy-map “drop”

function, while packets that match the “deny” action (not shown) are not affected by the policy-map

drop function.

- Rate Limiting the traffic to the device The CoPP example below could be included as part of the

deployed CoPP, which will help protect targeted devices from processing large amounts of NTP

traffic.

Warning: If the rate-limits are exceeded valid NTP traffic may also be dropped.

! Feature: Network Time Protocol (NTP).

access-list 150 permit udp any any eq 123

! Create a Class-Map for traffic to be policed by the CoPP feature.

class-map match-all rate-udp-class match access-group 150

! Create a Policy-Map that will be applied to the Control-Plane of the device. NOTE: See section

“4. Tuning the CoPP Policy” of

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html#5 for more information on

choosing the most appropriate traffic rates.

policy-map rate-udp-traffic class rate-udp-class police 10000 1500 1500 conform-action transmit

exceed-action drop violate-action drop

! Apply the Policy-Map to the Control-Plane of the device.

control-plane service-policy input drop-udp-traffic

Additional information on the configuration and use of the CoPP feature can be found in the

documents, “Control Plane Policing Implementation Best Practices” and “Cisco IOS Software

Releases 12.2 S - Control Plane Policing” at the following links:

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

1 2 ... 19 20 21 22 23 24 25 26 27 28 29 ... 677 678

Komentáře k této Příručce

Žádné komentáře

Cisco OL-4015-08 Uživatelský manuál Strana 24

Komentáře k této Příručce

Související produkty a manuály pro Sítě Cisco OL-4015-08