Control Plane Policing, Hardware Rate Limiting, and Access-Control Lists

Protecting Cisco Catalyst 6500 Series Switches

By Cisco Systems

Posted October 2009


Abstract:

 

Itís been some time since administrators focused their security attention primarily on servers and hosts in the network. At that time administrators didnít use much more than a firewall and a few access lists to secure an entire network. Over the last several years, the infrastructure has also become a direct target, and on many occasions, an attack on the network is a byproduct of a worm or virus. Infected hosts generate substantial traffic either by scanning other hosts in the network, proliferating malware, and/or being the target of an attack or potentially being in the path of the attack. In order to protect the infrastructure, especially the core and distribution portions of the network, other mechanisms can be used to minimize the effects on these critical business-enabling components, namely, your Ciscoģ Catalystģ 6500 Series Switches.

 

This paper describes three methods that can be employed to help protect your infrastructure: control-plane policing (CoPP), hardware rate limiting (HWRL), and access-control lists (ACLs). The operation of each function and configuration examples of each of these methods will be explained in detail, so you will have an understanding of how to successfully implement these valuable features.

 

Through the use of a controlled test environment, several attack situations were created that placed the network infrastructure in jeopardy. The effects on the network were captured and, using the methods previously described, these attacks were mitigated and the condition of the network was captured. Configuration examples will be used to show how an unprotected infrastructure behaves. The appropriate configurations that mitigate the attack will then be shown.

 

Finally, a baseline recommendation will be provided as a starting point from which you can begin implementation of control plane protection in your network.

 

bullet

Download paper
bullet

For help with .pdf file downloads, please check out the help topic at http://www.webtorials.com/pdfhint.htm

bullet

Return to Cisco Gold Sponsor Briefing

bullet

Return to Managing Corporate Networks Webtorials menu

 

Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.