CoPP (Control Plane Policying) should be used to protect RP on the Cisco devices by unnecessary and malicious traffic. The traffic managed by the RP(Route Processor) is divided into three functional planes, Data plane, Management Plane, Control plane.
How identify control plane traffic? simply said traffic is destined to the device that you want to apply. such as Routing traffic, SNMP, SSH, Telnet, NTP and so on.
Basically, you want to project, reserve and limit to communication route to the device.
It uses a MQC(Modular QoS CLI). See below template.
Don’t forget to apply control plane interface.
Configuring ACL
ip access-list extended CRITICAL_TRAFFIC
remark CoPP ACL for Critical traffic
permit ospf host[OSPF neighbor] any
permit pim any any
permit pim host [RP address] any
permit igmp any 224.0.0.0 15.255.255.255 or any
permit tcp any any eq bgp
permit tcp any eq bgp any
permit udp any any eq 67
permit ip host [DHCP server] any
deny ip any any
ip access-list extended IMPORTANT_TRAFFIC
remark CoPP ACL for Important traffic
permit tcp host x.x.x.x eq tacacs any
permit tcp x.x.x.x 0.0.255.255 any eq 22
permit udp host x.x.x.x any eq snmp
permit udp host x.x.x.x eq ntp any
deny ip any any
ip access-list extended NORMAL_TRAFFIC
remark CoPP ACL for Normal traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended UNDESIRABLE_TRAFFIC
remark CoPP ACL for undesirable traffic
permit udp any any eq ntp
permit udp any any eq snmptrap
permit tcp any any eq 22
permit tcp any any eq telnet
permit eigrp any any
deny ip any any
ip access-list extended DEFAULT_TRAFFIC
remark CoPP ACL for rest of the IP traffic
permit any any
Configuring Class-map
class-map match-all CoPP_CRITICAL
match access-group name CRITICAL_TRAFFIC
class-map match-any CoPP_IMPORTANT
match access-group name IMPORTANT_TRAFFIC
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name NORMAL_TRAFFIC
class-map match-all CoPP_UNDESIRABLE
match access-group name UNDESIRABLE_TRAFFIC
class-map match-all CoPP_DEFAULT
match access-group name DEFAULT_TRAFFIC
Configuring policy-map
policy-map CoPP_POLICY
class CRITICAL_TRAFFIC
police 512000 8000 conform-action transmit exceed-action transmit
class IMPORTANT_TRAFFIC
police 256000 4000 conform-action transmit exceed-action drop
class NORMAL_TRAFFIC
police 128000 2000 conform-action transmit exceed-action drop
class UNDESIRABLE_TRAFFIC
police 8000 1000 conform-action drop exceed-action drop
class DEFAULT_TRAFFIC
police 64000 1000 conform-action transmit exceed-action drop
Applying
control-plane
service-policy input CoPP_POLICY
* If CoPP is not supported then the try below
ip receive acl 199
access-list 199 remark allow specific management plane traffic
access-list 199 deny ip any any fragments
access-list 199 permit tcp [management IP block] 0.0.0.255 any eq 22
access-list 199 permit udp host [SNMP host] any eq snmp
access-list 199 permit tcp host [TACACS host] any eq tacacs any
access-list 199 permit udp host [NTP host] eq ntp any
access-list 199 permit icmp [management IP block] 0.0.0.255 any
access-list 199 permit remark specific control plane traffic
access-list 199 permit ospf host [OSPF neighbor] any
access-list 199 permit pim host [PIM neighbor] any
access-list 199 permit pim host [PR address] any
access-list 199 permit igmp any 224.0.0.0 15.255.255.255
access-list 199 permit tcp host [BGP neighbor] eq bgp host [local BGP address]
access-list 199 permit tcp host [BGP neightbor] host [local BGP address] eq bgp
access-list 199 permit udp any any eq 67
access-list 199 permit ip host [DHCP Server] any
access-list 199 permit remark all other traffic destined to the device is dropped
access-list 199 permit deny ip any any
** If CoPP and receive path filter are not supported, then create ACL and apply each interface.
Ref. Cisco Control Plane Policy(CoPP)
Ref. Inplementation note of Cisco Control Plane Policy(CoPP)