36-33
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 36 Configuring Denial of Service Protection
Defining Traffic Classification
•
Default—All remaining traffic destined for the MSFC that has not been identified. MQC provides
the default class, so the user can specify the treatment to be applied to traffic not explicitly identified
in the other user-defined classes. This traffic has a highly reduced rate of access to the MSFC. With
a default classification in place, statistics can be monitored to determine the rate of otherwise
unidentified traffic destined for the control plane. After this traffic is identified, further analysis can
be performed to classify it and, if needed, the other CoPP policy entries can be updated to
accomodate this traffic.
After you have classified the traffic, the ACLs build the classes of traffic that are used to define the
policies. For sample basic ACLs for CoPP classification, see the
“Sample Basic ACLs for CoPP Traffic
Classification” section on page 36-33
.
Traffic Classification Guidelines
When defining traffic classification, follow these guidelines and restrictions:
•
Before you develop the actual CoPP policy, you must identify and separate the required traffic into
different classes. Traffic is grouped into nine classes that are based on relative importance. The
actual number of classes needed might differ and should be selected based on your local
requirements and security policies.
•
You do not have to define policies that match bidirectionally. You only need to identify traffic
unidirectionally (from the network to the MSFC) since the policy is applied on ingress only.
Sample Basic ACLs for CoPP Traffic Classification
This section shows sample basic ACLs for CoPP classification. In the samples, the commonly required
traffic is identified with these ACLs:
•
ACL 120—Critical traffic
•
ACL 121—Important traffic
•
ACL 122—Normal traffic
•
ACL 123—Explicitly denies unwanted traffic
•
ACL 124—All other traffic
This example shows how to define ACL 120 for critical traffic:
Router(config)#
access-list 120 remark CoPP ACL for critical traffic
This example shows how to allow BGP from a known peer to this router’s BGP TCP port:
Router(config)#
access-list 120 permit tcp host 47.1.1.1 host 10.9.9.9 eq bgp
This example shows how to allow BGP from a peer’s BGP port to this router:
Router(config)#
access-list 120 permit tcp host 47.1.1.1 eq bgp host 10.9.9.9
Router(config)#
access-list 120 permit tcp host 10.86.183.120 host 10.9.9.9 eq bgp
Router(config)#
access-list 120 permit tcp host 10.86.183.120 eq bgp host 10.9.9.9
This example shows how to define ACL 121 for the important class:
Router(config)#
access-list 121 remark CoPP Important traffic
This example shows how to permit return traffic from TACACS host:
Router(config)#
access-list 121 permit tcp host 1.1.1.1 host 10.9.9.9 established