Control Plane Policing

Table Of Contents

Control Plane Policing

Contents

Prerequisites for Control Plane Policing

Restrictions for Control Plane Policing

Information About Control Plane Policing

Benefits of Control Plane Policing

Terms to Understand

Control Plane Security and Packet QoS Overview

Aggregate Control Plane Services

Distributed Control Plane Services

Using Distributed CP Services

Output Rate-Limiting and Silent Mode Operation

How to Use the Control Plane Policing Feature

Defining Aggregate Control Plane Services

Prerequisites

Restrictions

Defining Distributed Control Plane Services

Prerequisites

Restrictions

Verifying Aggregate CP Services

Examples

Verifying Distributed CP Services

Examples

Configuration Examples for Control Plane Policing

Configuring Control Plane Policing on Input Telnet Traffic: Example

Configuring Control Plane Policing on Output Telnet Traffic: Example

Configuring Control Plane Policing on Input Distributed CP Traffic: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

control-plane

police rate (control-plane)

service-policy (control-plane)

show policy-map control-plane

Feature Information for Control Plane Policing

Control Plane Policing

---

Last Updated: November, 2006

The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Control Plane Policing" section on page 34.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for Control Plane Policing

•Restrictions for Control Plane Policing

•Information About Control Plane Policing

•How to Use the Control Plane Policing Feature

•Configuration Examples for Control Plane Policing

•Additional References

•Command Reference

Prerequisites for Control Plane Policing

•Understanding the concepts and general configuration procedure (class map and policy map) for applying quality-of-service (QoS) policies on a router

For information about Cisco IOS QoS and the procedure for configuring QoS in your network using the modular QoS command-line interface (MQC), refer to Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.3 and Cisco 10000 Series Router Quality of Service Configuration Guide.

Restrictions for Control Plane Policing

Aggregate and Distributed Control Plane Policing

Aggregate policing is supported in Cisco IOS Release 12.0(29)S, Cisco IOS Release 12.2(18)S, and Cisco IOS Release 12.3(4)T and later releases.

Distributed policing is supported only in Cisco IOS Release 12.0(30)S and later Cisco IOS 12.0S releases.

Output Rate-Limiting Support

Output rate-limiting is performed in silent (packet discard) mode. Silent mode enables a router to silently discard packets using policy maps applied to output control plane traffic with the service-policy output command. For more information, see Output Rate-Limiting and Silent Mode Operation.

Output rate-limiting (policing) in silent mode is supported only in:

•Cisco IOS Release 12.2(25)S and later Cisco IOS 12.2S releases

•Cisco IOS Release 12.3(4)T and later Cisco IOS 12.3T releases

Output rate-limiting is not supported for distributed control plane services in Cisco IOS 12.0S releases or in Cisco IOS 12.2SX releases.

Output rate-limiting is not supported on the Cisco 7500 series, Cisco 10720 Internet router, and Cisco 10000 series router.

Modular QoS Restrictions

The Control Plane Policing feature requires the modular QoS command-line interface (CLI) (MQC) to configure packet classification and policing. All restrictions that apply when you use the MQC to configure policing also apply when you configure control plane policing. Only two MQC actions are supported in policy maps—police and drop.

Features that require network-based application recognition (NBAR) classification may not work well at the control plane level. The following classification (match) criteria are supported on all platforms:

•Standard and extended IP access lists (ACLs)

•In class-map configuration mode: match ip dscp, match ip precedence, and match protocol arp commands.

---

Note In the Cisco IOS 12.2SX release, the match protocol arp command is not supported.

---

Cisco 10720 Internet Router

On the Cisco 10720 Internet router, only the police command, not the drop command, is supported in policy maps. In addition, in a QoS service policy attached to the 10720 control plane, the police command does not support set actions as arguments in conform-action, exceed-action, and violate-action parameters.

The following MQC commands are supported in class-map configuration mode: match input-interface, match mpls experimental, match protocol ipv6, and match qos-group. When using these commands for control plane policing on the Cisco 10720 Internet router, note the following restrictions:

•Packet classification using match criteria is not supported for packets that cannot be classified in the 10720 data path, such as unknown Layer 2 encapsulation and IP options.

•The following IPv6 fields are not be supported in packet classification for IPv6 QoS on the Cisco 10720 Internet router and are, therefore, not supported for control plane policing:

–IPv6 source and destination addresses

–Layer 2 class of service (CoS)

–IPv6 routing header flag

–IPv6 undetermined transport flag

–IPv6 flow label

–IP Real-Time transport Protocol (RTP)

Packets that are not supported for QoS packet classification on the Cisco 10720 Internet router are not policed in the default traffic class for control plane policing.

Cisco 10000 Series Router

In Cisco IOS Release 12.2(31)SB2, the Control Plane Policing feature is introduced on the Cisco 10000 series router. It supports traffic policing on the basis of packets per second (pps), as well as all other existing police operations for control plane traffic. The Cisco 10000 series router supports Parallel Express Forwarding (PXF) aggregate control plane policing.

The following MQC commands are supported in class-map configuration mode: match input-interface, match protocol ipv6, match qos-group, match mpls experimental, and match protocol arp. When using these commands for control plane policing, packet classification using match criteria is not supported for packets that cannot be classified in the data path, such as unknown Layer 2 encapsulation and IP options.

Packets that are not supported for QoS packet classification are not policed in the default traffic class for control plane policing.

CISCO-CLASS-BASED-QOS-MIB Control Plane Support

In Cisco IOS Release 12.3(7)T and later Cisco IOS 12.3T releases, the CISCO-CLASS-BASED-QOS-MIB is extended to manage control plane QoS policies and provide information about the control plane.

Cisco IOS Release 12.2(18)SXD1

In Cisco IOS Release 12.2(18)SXD1 and later releases, Hardware Control Plane Interface for Control Plane Policing has the following restrictions:

•Supported only with Supervisor Engine 720. Not supported with Supervisor Engine 2.

•Does not support Control Plane Policing output rate limiting (policing).

•Does not support the Control Plane Policing silent operation mode.

•Cisco IOS Release 12.2(18)SXD1 and later releases automatically install the Control Plane Policing service policy on all DFC-equipped switching modules.

Cisco IOS Release 12.2(31)SB2

Control Plane Policing has the following restrictions on the Cisco 10000 series router:

•Does not support Route Processor (RP) Control Plane Policing.

•Does not support Control Plane Policing output rate limiting (policing).

•Only the police command is supported in the control plane policy maps.

•Does not support nested policy maps.

For more information about Control Plane Policing in Cisco IOS Release 12.2(18)SXD1 and later releases, see these publications:

•For Control Plane Policing on Catalyst 6500 series switches:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/dos.htm

•For Control Plane Policing on Cisco 7600 series routers:

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/software/122sx/swcg/dos.htm

Information About Control Plane Policing

To configure the Control Plane Policing feature, you should understand the following concepts:

•Benefits of Control Plane Policing

•Terms to Understand

•Control Plane Security and Packet QoS Overview

•Aggregate Control Plane Services

•Distributed Control Plane Services

•Using Distributed CP Services

•Output Rate-Limiting and Silent Mode Operation

Benefits of Control Plane Policing

Configuring the Control Plane Policing feature on your Cisco router or switch provides the following benefits:

•Protection against DoS attacks at infrastructure routers and switches

•QoS control for packets that are destined to the control plane of Cisco routers or switches

•Ease of configuration for control plane policies

•Better platform reliability and availability

Terms to Understand

Because different platforms can have different architectures, the following set of terms is defined. Figure 1 illustrates how control plane policing works.

Figure 1 Layout of Control Plane, Central Switch Engine, Distributed Switch Engines, and Line Cards on a Router

•Control plane (CP)—A collection of processes that run at the process level on the route processor (RP). These processes collectively provide high-level control for most Cisco IOS functions.

•Central switch engine—A device that is responsible for high-speed routing of IP packets. It also typically performs high-speed input and output services for nondistributed interfaces. (See nondistributed line cards.) The central switch engine is used to implement aggregate CP protection for all interfaces on the router.

---

Note All IP packets that are destined for the CP should pass through the central switch engine before they are forwarded to the process level.

---

On the Cisco 10720 Internet router and the Cisco 10000 series router, control plane policing is implemented on Cisco Parallel eXpress Forwarding (PXF) in a Toaster-based architecture. PXF is a hardware-based central switch engine that can filter traffic at a higher rate than the route processor. PXF switches all data traffic separately from the route processor. PXF packet processing occurs at an intermediate step between the nondistributed line cards and route processor shown in Figure 1. In addition to the regular punting, PXF also punts certain types of packets (such as unknown Layer 2 encapsulation and packets with IP options) to the RP for further processing at interrupt level.

For more information, refer to Queueing Architecture and Modular Quality of Service (QoS) on the Cisco 10720 Internet Router and Cisco 10000 Series Router Quality of Service Configuration Guide..

---

Note On the Cisco 10720 Internet router and the Cisco 10000 series router, you can configure enhanced RP protection by using the ip option drop command to drop IPv4 packets with IP options that are punted to the RP by the PXF. Tunneled IPv4 packets and IPv4 packets with an unsupported encapsulation method are not dropped. For more information, refer to ACL IP Options Selective Drop.

---

•Distributed switch engine—A device that is responsible for high-speed switching of IP packets on distributed line cards without using resources from the central switch engine. It also typically performs input and output services for the line card. Each distributed switch engine is used to implement distributed CP services for all ports on a line card. Input CP services distribute the processing load across multiple line cards and conserve vital central switch engine resources. Distributed CP services are optional; however, they provide a more refined level of service than aggregate services.

•Nondistributed line cards—Line cards that are responsible for receiving packets and occasionally performing input and output services. All packets must be forwarded to the central switch engine for a routing or switching decision. Aggregate CP services provide coverage for nondistributed line cards.

---

Note Distributed CP services are only supported in 12.0(30)S and later 12.0S releases.

---

Control Plane Security and Packet QoS Overview

To protect the CP on a router from DoS attacks and to provide packet QoS, the Control Plane Policing feature treats the CP as a separate entity with its own ingress (input) and egress (output) ports, which are like ports on a router and switch. Because the Control Plane Policing feature treats the CP as a separate entity, a set of rules can be established and associated with the ingress and egress port of the CP.

These rules are applied only after the packet has been determined to have the CP as its destination or when a packet exits from the CP. Thereafter, you can configure a service policy to prevent unwanted packets from progressing after a specified rate limit has been reached; for example, a system administrator can limit all TCP/SYN packets that are destined for the CP to a maximum rate of 1 megabit per second.

Input CP services are executed after router input port services and a routing decision on the input path have been made. As shown in Figure 2, CP security and packet QoS are applied on:

•An aggregate level by the central switch engine and applied to all CP packets received from all line cards on the router (see Aggregate Control Plane Services)

•A distributed level by the distributed switch engine of a line card and applied to all CP packets received from all interfaces on the line card (see Distributed Control Plane Services)

Figure 2 Input Control Plane Services: Aggregate and Distributed Services

The following types of Layer 3 packets are forwarded to the control plane and processed by aggregate and distributed control plane policing:

•Routing protocol control packets

•Packets destined for the local IP address of the router

•Packets from management protocols (such as Simple Network Management Protocol [SNMP], Telnet, and secure shell [SSH])

---

Note Ensure that Layer 3 control packets have priority over other packet types that are destined for the control plane.

---

Aggregate Control Plane Services

Aggregate control plane services provide control plane policing for all CP packets received from all line-card interfaces on the router.

The central switch engine executes normal input port services and makes routing decisions for an incoming packet: if the packet is destined for the CP, aggregate services are performed. Because CP traffic from all line cards must pass through aggregate CP services, these services manage the cumulative amount of CP traffic that reaches the CP.

Aggregate CP service steps are as follows:

1. The line card receives a packet and delivers it to the central switch engine.

---

Note Before the packet is sent to the central switch engine, additional processing may be necessary for platforms that support hardware-level policing or platform-specific aggregate policing. It is possible that the packet may undergo multiple checks before it undergoes the generic Cisco IOS check.

---

2. The interfaces perform normal (interface-level) input port services and QoS.

3. The central switch engine performs Layer 3 switching or makes a routing decision, determining whether or not the packet is destined for the CP.

4. The central switch engine performs aggregate CP services for all CP packets.

5. On the basis of the results of the aggregate CP services, the central switch engine either drops the packet or delivers the packet to the CP for final processing.

Functionality Highlights of Aggregate CP Services

The following list highlights the functionality of aggregate CP services:

•Defined for a single input interface, such as the CP, and represents an aggregate for all ports on a router.

•Modular QoS is used to define CP services. Class maps and policy maps for both DoS protection and packet QoS are defined for a single aggregate CP service policy.

•Modular QoS does not prevent a single bad port from consuming all allocated bandwidth. Class maps that match an interface or subinterface may be able to constrain the contribution of each interface through an interface-specific policy map.

Distributed Control Plane Services

Distributed control plane services provide control plane policing for all CP packets received from the interfaces on a line card.

A distributed switch engine executes normal input port services and makes routing decisions for a packet: if the packet is destined for the CP, distributed CP services are performed. Afterwards, CP traffic from each line card is forwarded to the central switch engine where aggregate CP services are applied.

---

Note Distributed CP services may also forward conditioned packets to the central switch engine. In this case, aggregate CP services are also performed on the conditioned CP traffic.

---

Distributed CP service steps are as follows:

1. A line card receives a packet and delivers it to the distributed switch engine.

2. The distributed switch engine performs normal (interface-level) input port services and QoS.

3. The distributed switch engine performs Layer 2 or Layer 3 switching, or makes a routing decision, determining whether or not the packet is destined for the CP.

4. The distributed switch engine performs distributed CP services for all CP packets.

5. On the basis of the results of the distributed CP services, the distributed switch engine either drops the packet or marks the packet and delivers it to the central switch engine for further processing.

6. The central switch engine performs aggregate CP services and delivers the packet to the CP for final processing.

Functionality Highlights of Distributed CP Services

The following list highlights the functionality of distributed CP services:

•Distributed CP services are defined for a single input interface, such as the distributed CP, and represent an aggregate for all ports on a line card.

•Modular QoS is used to define CP services. Class maps and policy maps for both DoS protection and packet QoS are defined for a single distributed CP service policy. Each line card may have a unique CP service policy that applies traffic classifications, QoS policies and DoS services to packets received from all ports on the line card in an aggregate way.

•Modular QoS does not prevent one bad port from consuming all allocated bandwidth on a line card. Class maps that match an interface or subinterface may be able to constrain the contribution of each interface through an interface-specific policy map.

Distributed CP services allow you to limit the number of CP packets forwarded from a line card to the central switch engine. The total amount of CP packets received from all line cards on a router may exceed aggregate CP levels.

Using Distributed CP Services

The purpose of CP protection and packet QoS is to apply sufficient control to the packets that reach the control plane. To successfully configure this level of CP protection, you must:

•Apply traditional QoS services using the modular QoS command-line interface to CP packets.

•Protect the path to the control plane against indiscriminate packet dropping due to resource exhaustion. If packets are not dropped according to user-defined QoS policies, but are dropped due to a resource limitation, the QoS policy is not maintained.

Distributed CP services allow you to configure specific CP services that are enforced at the line card level and required for the following reasons:

•While under a DoS attack, line card resources may be consumed. In this case, you must configure a drop policy to identify important packets. The drop policy ensures that all important packets arrive to the central switch engine for aggregate CP protection and later to the CP. Distributed CP services allow routers to apply the appropriate drop policy when resources are consumed, and therefore maintain the desired QoS priorities. If a line card indiscriminately drops packets, the aggregate CP filter becomes ineffective and the QoS priorities are no longer maintained.

•It is not possible to prevent one interface from consuming all aggregate CP resources. A DoS attack on one port may negatively impact CP processing of traffic from other ports. Distributed CP services allow you to limit the amount of important traffic forwarded by a line card to the CP. For example, you can configure a layered approach in which the combined rates of all line cards is over-subscribed compared to the aggregate rate. The rate of each individual line card would be below the aggregate rate, but combined together, the rates of all line cards exceed it. This over-subscription model is commonly used for other resource-related functions and helps limit the contribution of CP packets from any one line card.

•Distributed CP services provide for slot-level (line card) filtering. Customer-facing interfaces may have greater security requirements (with more restrictions or for billing reasons) than network-facing interfaces to backbone devices.

•Because distributed CP protection allows you to configure packet filters on a per-line card basis, processing cycles on line cards may offload aggregate level processing. You can configure Border Gateway Protocol (BGP) filtering at the distributed level for interfaces that use BGP, allowing the aggregate level to filter packets with the remaining filter requirements. Or you can configure identical filters for distributed and aggregate CP services with a distributed packet marking scheme that informs the aggregate filter that a packet has already been checked. Distributed CP service processing further reduces aggregate processing and can significantly reduce the load on aggregate CP services.

Output Rate-Limiting and Silent Mode Operation

A router is automatically enabled to silently discard packets when you configure output policing on control plane traffic, using the service-policy output policy-map-name command.

Rate-limiting (policing) of output traffic from the CP is performed in silent mode. In silent mode, a router that is running Cisco IOS software operates without sending any system messages. If a packet that is exiting from the control plane is discarded for output policing, you do not receive an error message.

When control plane policing is configured for output traffic, error messages are not generated in the following cases:

•Traffic that is being transmitted to a port to which the router is not listening

•A connection to a legitimate address and port that is rejected because of a malformed request

---

Note The silent mode functionality and output policing on CP traffic are supported only in:
- Cisco IOS Release 12.2(25)S and later Cisco IOS 12.2S releases.
- Cisco IOS Release 12.3(4)T and later Cisco IOS 12.3T releases.
Silent mode and output policing on CP traffic are not supported for distributed control plane services.

---

How to Use the Control Plane Policing Feature

This section documents the following procedures:

•Defining Aggregate Control Plane Services

•Defining Distributed Control Plane Services

•Verifying Aggregate CP Services

•Verifying Distributed CP Services

Defining Aggregate Control Plane Services

Perform this task to configure aggregate CP services, such as packet rate control and silent packet discard, for the active route processor.

Prerequisites

Before you enter control-plane configuration mode to attach an existing QoS policy to the control plane, you must first create the policy using MQC to define a class map and policy map for control plane traffic.

For information about how to classify traffic and create a QoS policy, refer to the "Modular Quality of Service Command-Line Interface" chapter in the Cisco IOS Quality of Service Solutions Configuration Guide and the Cisco 10000 Series Router Quality of Service Configuration Guide.

Restrictions

•Platform-specific restrictions, if any, are checked when the service policy is applied to the control plane interface.

•Support for output policing is available only in Cisco IOS Release 12.3(4)T and later T-train releases. (Note that output policing does not provide any performance benefits. It simply controls the information that is leaving the device.)

SUMMARY STEPS

1. enable

2. configure terminal

3. control-plane

4. service-policy {input | output} policy-map-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	control-plane Example: Router(config)# control-plane	Enters control-plane configuration mode to attach a QoS policy that manages CP traffic.
Step 4	service-policy {input | output} policy-map-name Example: Router(config-cp)# service-policy input control-plane-policy	Attaches a QoS service policy to the control plane. •input—Applies the specified service policy to packets received on the control plane. •output—Applies the specified service policy to packets transmitted from the control plane and enables the router to silently discard packets. •policy-map-name—Name of a service policy map (created using the policy-map command) to be attached. The name can be a maximum of 40 alphanumeric characters.

Defining Distributed Control Plane Services

Perform this task to configure distributed control plane services, such as packet rate control, for packets that are destined for the control plane and sent from the interfaces on a line card.

Prerequisites

Before you enter control-plane configuration mode to attach an existing QoS policy for performing distributed control-plane services, you must first create the policy using MQC to define a class map and policy map for control-plane traffic.

For information about how to classify traffic and create a QoS policy, refer to the "Modular Quality of Service Command-Line Interface" chapter in the Cisco IOS Quality of Service Solutions Configuration Guide and the Cisco 10000 Series Router Quality of Service Configuration Guide.

Restrictions

•Platform-specific restrictions, if any, are checked when the service policy is applied to the control plane interface.

•Support for output policing is available only in Cisco IOS Release 12.3(4)T and later T-train releases. (Note that output policing does not provide any performance benefits. It simply controls the information that is leaving the device.)

•With Cisco IOS 12.2SX releases, Supervisor Engine 720 automatically installs the service policy on all DFC-equipped switching modules.

•The Cisco 10000 series router only supports aggregate input control plane services.

SUMMARY STEPS

1. enable

2. configure terminal

3. control-plane [slot slot-number]

4. service-policy input policy-map-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	control-plane [slot slot-number] Example: Router(config)# control-plane slot 3 Router(config)# control-plane slot	Enters control-plane configuration mode to attach a QoS policy to manage CP traffic on the line card in the specified slot.
Step 4	service-policy input policy-map-name Example: Router(config-cp)# service-policy input control-plane-policy	Attaches a QoS service policy to filter and manage CP traffic on a specified line card before the aggregate CP policy is applied. •input—Applies the specified service policy using the distributed switch engine to CP packets received from all interfaces on the line card. •policy-map-name—Name of the service policy to attach.

Verifying Aggregate CP Services

To display information about the service policy attached to the control plane for aggregate CP services, perform the following optional steps.

SUMMARY STEPS

1. enable

2. show policy-map control-plane [all] [input [class class-name] | output [class class-name]]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show policy-map control-plane [all] [input [class class-name] | output [class class-name]] Example: Router# show policy-map control-plane all	Displays information about the control plane. •all—(Optional) Service policy information about all QoS policies used in aggregate and distributed CP services. •input—(Optional) Statistics for the attached input policy. •class class-name—(Optional) Statistics for an individual traffic class. •output—(Optional) Statistics for the attached output policy. Note The output keyword is supported only in Cisco IOS Release 12.3(4)T and later Cisco IOS 12.3T releases.

Examples

The following example shows that the policy map TEST is associated with the control plane. This policy map polices traffic that matches the class map TEST, while allowing all other traffic (that matches the class map "class-default") to go through as is. Table 2 describes the significant fields in the display.

Router# show policy-map control-plane 

Control Plane 

Service-policy input:TEST

Class-map:TEST (match-all)

      20 packets, 11280 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match:access-group 101

      police:

        8000 bps, 1500 limit, 1500 extended limit

        conformed 15 packets, 6210 bytes; action:transmit

        exceeded 5 packets, 5070 bytes; action:drop

        violated 0 packets, 0 bytes; action:drop

        conformed 0 bps, exceed 0 bps, violate 0 bps

Class-map:class-default (match-any)

      105325 packets, 11415151 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match:any 

Verifying Distributed CP Services

To display information about the service policy attached to the control plane to perform distributed CP services, perform the following optional steps.

SUMMARY STEPS

1. enable

2. show policy-map control-plane [all | slot slot-number] [input [class class-name] | output [class class-name]]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show policy-map control-plane [all] [slot slot-number] [input [class class-name] | output [class class-name]] Example: Router# show policy-map control-plane slot 2	Displays information about the service policy used to apply distributed CP services on the router. •all—Service policy information about all QoS policies used in aggregate and distributed CP services. •slot slot-number—Service policy information about the QoS policy used to perform distributed CP services on the specified line card. •input—Statistics for the attached input policy. •output—Statistics for the attached output policy. •class class-name—Name of the traffic class whose configuration and statistics are displayed.

Examples

The following example shows how to display information about the classes of CP traffic received from all interfaces on the line card in slot 1 to which the policy map TESTII is applied for distributed CP services. This policy map polices traffic that matches the traffic class TESTII, while allowing all other traffic (that matches the class map "class-default") to go through as is. (Table 2 describes the significant fields shown in the display.)

Router# show policy-map control-plane slot 1

Control Plane - slot 1

Service-policy input: TESTII (1048)

Class-map: TESTII (match-all) (1049/4)

        0 packets, 0 bytes

        5 minute offered rate 0 bps, drop rate 0 bps

        Match: protocol arp (1050)

        police:

            cir 8000 bps, bc 4470 bytes, be 4470 bytes

          conformed 0 packets, 0 bytes; actions:

            transmit

          exceeded 0 packets, 0 bytes; actions:

            drop

          violated 0 packets, 0 bytes; actions:

            drop

          conformed 0 bps, exceed 0 bps, violate 0 bps

Class-map: class-default (match-any) (1052/0)

        0 packets, 0 bytes

        5 minute offered rate 0 bps, drop rate 0 bps

        Match: any  (1053)

Configuration Examples for Control Plane Policing

This section contains examples that shows how to configure aggregate control plane services on both an input and an output interface:

•Configuring Control Plane Policing on Input Telnet Traffic: Example

•Configuring Control Plane Policing on Output Telnet Traffic: Example

•Configuring Control Plane Policing on Input Distributed CP Traffic: Example

Configuring Control Plane Policing on Input Telnet Traffic: Example

The following example shows how to apply a QoS policy for aggregate CP services to Telnet traffic received on the control plane. Trusted hosts with source addresses 10.1.1.1 and 10.1.1.2 forward Telnet packets to the control plane without constraint, while allowing all remaining Telnet packets to be policed at the specified rate:

! Allow 10.1.1.1 trusted host traffic.

Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 

! Allow 10.1.1.2 trusted host traffic. 

Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 

! Rate limit all other Telnet traffic.

Router(config)# access-list 140 permit tcp any any eq telnet

! Define class-map "telnet-class."

Router(config)# class-map telnet-class 

Router(config-cmap)# match access-group 140

Router(config-cmap)# exit

Router(config)# policy-map control-plane-in

Router(config-pmap)# class telnet-class

Router(config-pmap-c)# police 80000 conform transmit exceed drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

! Define aggregate control plane service for the active Route Processor.

Router(config)# control-plane

Router(config-cp)# service-policy input control-plane-in

Router(config-cp)# exit

Configuring Control Plane Policing on Output Telnet Traffic: Example

The following example shows how to apply a QoS policy for aggregate CP services to Telnet traffic transmitted from the control plane. Trusted networks with source addresses 3.3.3.0 and 4.4.4.0 receive Internet Control Management Protocol (ICMP) port-unreachable responses without constraint, while allowing all remaining ICMP port-unreachable responses to be dropped:

! Allow 3.3.3.0 trusted network traffic.

Router(config)# access-list 141 deny icmp 3.3.3.0 0.0.0.255 any port-unreachable 

! Allow 4.4.4.0 trusted network traffic.

Router(config)# access-list 141 deny icmp 4.4.4.0 0.0.0.255 any port-unreachable 

! Rate limit all other ICMP traffic. 

Router(config)# access-list 141 permit icmp any any port-unreachable

Router(config)# class-map icmp-class 

Router(config-cmap)# match access-group 141

Router(config-cmap)# exit

Router(config)# policy-map control-plane-out

! Drop all traffic that matches the class "icmp-class."

Router(config-pmap)# class icmp-class

Router(config-pmap-c)# drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

Router(config)# control-plane

! Define aggregate control plane service for the active route processor.

Router(config-cp)# service-policy output control-plane-out

Router(config-cp)# exit

Configuring Control Plane Policing on Input Distributed CP Traffic: Example

The following example shows how to attach a QoS policy to perform distributed CP services on packets destined for the CP from the interfaces on the line card in slot 1.

As in the previous example, trusted hosts are configured with source addresses 10.1.1.1 and 10.1.1.2 to forward Telnet packets to the control plane without constraint, while allowing all remaining Telnet packets that enter through slot 1 to be policed at the specified rate.

! Allow 10.1.1.1 trusted host traffic.

Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 

! Allow 10.1.1.2 trusted host traffic. 

Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 

! Rate limit all other Telnet traffic.

Router(config)# access-list 140 permit tcp any any eq telnet

! Define class-map "telnet-class."

Router(config)# class-map telnet-class 

Router(config-cmap)# match access-group 140

Router(config-cmap)# exit

Router(config)# policy-map control-plane-in

Router(config-pmap)# class telnet-class

Router(config-pmap-c)# police 80000 conform transmit exceed drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

! Define aggregate control plane service for the active Route Processor.

Router(config)# control-plane slot 1

Router(config-cp)# service-policy input control-plane-in

Router(config-cp)# exit

Additional References

The following sections provide references related to Control Plane Policing.

Related Documents

Related Topic	Document Title
QoS information and configuration tasks	Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.3 Cisco 10000 Series Router Quality of Service Configuration Guide, Release 12.2(31)SB
Additional QoS commands	Cisco IOS Quality of Service Solutions Command Reference, Release 12.3T

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
•CISCO-CLASS-BASED-QOS-MIB Note Supported only in Cisco IOS Release 12.3(7)T.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator, found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
None	—

Technical Assistance

Description	Link
The Cisco Technical Support website, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/cisco/web/support/index.html

Command Reference

This section documents new and modified commands.

New Commands in Cisco IOS Release 12.2(18)S

•control-plane

•service-policy (control-plane)

•show policy-map control-plane

Modified Commands in Cisco IOS Release 12.3(4)T

•service-policy (control-plane)

•show policy-map control-plane

New Command in Cisco IOS Release 12.3(7)T

•service-policy (control-plane)

Modified Commands in Cisco IOS Release 12.0(30)S

•control-plane [slot slot-number]

•show policy-map control-plane [slot slot-number]

Modified Command in Cisco IOS Release 12.2(31)SB2

•control-plane

•police rate (control-plane)

•service-policy (control-plane)

•show policy-map control-plane

control-plane

To enter control-plane configuration mode and apply an existing quality of service (QoS) policy to police traffic destined for the control plane, use the control-plane command in global configuration mode. To remove an existing control-plane configuration from the router, use the no form of this command.

Syntax for T Releases

control-plane [host | transit | cef-exception]

no control-plane [host | transit | cef-exception]

Syntax for 12.0 S Releases

control-plane [slot slot-number] [host | transit | cef-exception]

no control-plane [slot slot-number] [host | transit | cef-exception]

Syntax for Cisco 10000 Series Router

control-plane

no control-plane

Syntax Description

host	(Optional) Applies policies to host control-plane traffic.
transit	(Optional) Applies policies to transit control-plane traffic.
cef-exception	(Optional) Applies policies to CEF-exception control-plane traffic.
slot slot number	(Optional) Specifies the slot number for the line card to which you want to attach a QoS policy to perform distributed control-plane services.

Command Default

No control-plane service policies are defined.

Command Modes

Global configuration

Command History

Release	Modification
12.2(18)S	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.
12.0(29)S	This command was integrated into Cisco IOS Release 12.0(29)S.
12.0(30)S	The slot slot-number parameter was added to configure distributed CP services.
12.2(18)SXD1	This command was integrated into Cisco IOS Release 12.2(18)SXD1.
12.2(27)SBC	This command was integrated into Cisco IOS Release 12.2(27)SBC.
12.4(4)T	The host, transit, and cef-exception keywords were added.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.

Usage Guidelines

After you enter the control-plane command, you can define aggregate control-plane policing policies for the route processor (RP). You can configure a service policy to police all traffic destined to the control plane:

•From all line cards on the router (aggregate CP services)

•From all interfaces on a line card (distributed CP services)

Aggregate CP services manage traffic destined for the control plane and received on the central switch engine from all line cards in the router.

Distributed CP services manage CP traffic from interfaces on a specified line card before CP packets are forwarded to the central switch engine where aggregate CP services are applied.

---

Note On the Cisco 12000 series Internet router, you can combine distributed and aggregate CP services to protect the control plane from DoS attacks and provide packet QoS. The slot slot-number parameter is used only for distributed CP services configurations.

---

Control-plane policing in this version includes enhanced control-plane functionality. It provides a mechanism for early dropping of packets directed toward closed or nonlistened Cisco IOS TCP/UPD ports on the router. It also provides the ability to limit protocol queue usage such that no single misbehaving protocol process can wedge the control plane interface hold queue.

With this enhancement, you can classify control-plane traffic into different categories of traffic. These categories are as follows:

•Control-plane host subinterface—Subinterface that receives all control-plane IP traffic that is directly destined for one of the router interfaces. Examples of control-plane host IP traffic include tunnel termination traffic, management traffic or routing protocols such as SSH, SNMP, BGP, OSPF, and EIGRP. All host traffic terminates on and is processed by the router. Most control-plane protection features and policies operate strictly on the control-plane host subinterface. Since most critical router control-plane services, such as routing protocols and management traffic, is received on the control-plane host subinterface, it is critical to protect this traffic through policing and protection policies. CoPP, port-filtering, and per-protocol queue thresholding protection features can be applied on the control-plane host subinterface.

•Control-plane transit subinterface—Subinterface that receives all control-plane IP traffic that is software switched by the route processor. This means packets not directly destined to the router itself but rather traffic traversing through the router. Non-terminating tunnels handled by the router are an example of this type of control-plane traffic. Control-plane protection allows specific aggregate policing of all traffic received at this subinterface.

•Control-plane CEF-exception subinterface—Subinterface that receives all traffic that is either redirected as a result of a configured input feature in the CEF packet forwarding path for process switching or directly enqueued in the control-plane input queue by the interface driver (for example, ARP, L2 Keepalives and all non-IP host traffic). Control-plane protection allows specific aggregate policing of this specific type of control-plane traffic.

Cisco 10000 Series Router

The control-plane command has no arguments or keywords. After you issue the control-plane command, you can begin defining aggregate control plane services for the PXF; for example, you can associate a service policy to police all traffic that is destined to the control plane.

Examples

The following example shows how to configure trusted hosts with source addresses 10.1.1.1 and 10.1.1.2 to forward Telnet packets to the control plane without constraint, while allowing all remaining Telnet packets to be policed at the specified rate. The QoS policy is then applied for aggregate CP services to all packets that are entering the control plane from all line cards in the router.

! Allow 10.1.1.1 trusted host traffic.

Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 

! Allow 10.1.1.2 trusted host traffic. 

Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 

! Rate limit all other Telnet traffic.

Router(config)# access-list 140 permit tcp any any eq telnet

! Define class-map "telnet-class."

Router(config)# class-map telnet-class 

Router(config-cmap)# match access-group 140

Router(config-cmap)# exit

Router(config)# policy-map control-plane-in

Router(config-pmap)# class telnet-class

Router(config-pmap-c)# police 80000 conform transmit exceed drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

! Define aggregate control plane service for the active Route Processor.

Router(config)# control-plane

Router(config-cp)# service-policy input control-plane-in

Router(config-cp)# exit

The next example also shows how to configure trusted hosts with source addresses 10.1.1.1 and 10.1.1.2 to forward Telnet packets to the control plane without constraint, while allowing all remaining Telnet packets that enter through slot 1 to be policed at the specified rate. The QoS policy is applied for distributed CP services to all packets that enter through the interfaces on the line card in slot 1 and are destined for the control plane.

! Allow 10.1.1.1 trusted host traffic.

Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 

! Allow 10.1.1.2 trusted host traffic. 

Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 

! Rate limit all other Telnet traffic.

Router(config)# access-list 140 permit tcp any any eq telnet

! Define class-map "telnet-class."

Router(config)# class-map telnet-class 

Router(config-cmap)# match access-group 140

Router(config-cmap)# exit

Router(config)# policy-map control-plane-in

Router(config-pmap)# class telnet-class

Router(config-pmap-c)# police 80000 conform transmit exceed drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

! Define aggregate control plane service for the active Route Processor.

Router(config)# control-plane slot 1

Router(config-cp)# service-policy input control-plane-in

Router(config-cp)# exit

The following shows how to apply an aggregate CoPP policy to the host control-plane traffic by applying it to the host control-plane feature path:

Router(config)# control-plane host

Router(config-cp)# service-policy input cpp-policy-host

The following shows how to apply an aggregate CoPP policy to the transit control-plane traffic by applying it to the control-plane transit feature path:

Router(config)# control-plane transit

Router(config-cp)# service-policy input cpp-policy-transit 

The following shows how to apply an aggregate CoPP policy to the cef-exception control-plane traffic by applying it to the control-plane CEF-exception feature path:

Router(config)# control-plane unidentified

Router(config-cp)# service-policy input cpp-policy-unidentified

Cisco 10000 Series Router

The following example shows how to configure trusted hosts with source addresses 10.1.1.1 and 10.1.1.2 to forward Telnet packets to the control plane without constraint, while allowing all remaining Telnet packets to be policed at the specified rate:

! Allow 10.1.1.1 trusted host traffic. 

Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 

! Allow 10.1.1.2 trusted host traffic. 

Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 

! Rate limit all other Telnet traffic. 

Router(config)# access-list 140 permit tcp any any eq telnet 

! Define class-map "telnet-class." 

Router(config)# class-map telnet-class 

Router(config-cmap)# match access-group 140 

Router(config-cmap)# exit 

Router(config)# policy-map control-plane-policy 

Router(config-pmap)# class telnet-class 

Router(config-pmap-c)# police 80000 conform transmit exceed drop 

Router(config-pmap-c)# exit 

Router(config-pmap)# exit 

! Define aggregate control plane service for the active Route Processor. 

Router(config)# control-plane 

Router(config-cp)# service-policy input control-plane-policy 

Router(config-cp)# exit 

Related Commands

Command	Description
service-policy (control-plane)	Attaches a policy map to the control plane for aggregate or distributed control-plane services.
show policy-map control-plane	Displays the configuration of a class or all classes for the policy map attached to the control plane.

police rate (control-plane)

To configure traffic policing for traffic that is destined for the control plane, use the police rate command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of this command.

Syntax for Cisco 10000 Series Router

police rate units pps [burst burst-in-packets packets] [peak-rate peak-rate-in-pps pps] [peak-burst peak-burst-in-packets packets] [conform-action action [exceed-action action] [violate-action action]

no police rate units pps [burst burst-in-packets packets] [peak-rate peak-rate-in-pps pps] [peak-burst peak-burst-in-packets packets] [conform-action action] [exceed-action action] [violate-action action]

Syntax for Packets per Seconds

police rate units pps [burst burst-in-packets packets] [peak-rate peak-rate-in-pps pps] [peak-burst peak-burst-in-packets packets]

no police rate units pps [burst burst-in-packets packets] [peak-rate peak-rate-in-pps pps] [peak-burst peak-burst-in-packets packets]

Syntax for Bytes per Seconds

police rate units bps [burst burst-in-bytes bytes] [peak-rate peak-rate-in-bps bps] [peak-burst peak-burst-in-bytes bytes]

no police rate units bps [burst burst-in-bytes bytes] [peak-rate peak-rate-in-bps bps] [peak-burst peak-burst-in-bytes bytes]

Syntax for Percent

police rate percent percentage [burst ms ms] [peak-rate percent percentage] [peak-burst ms ms]

no police rate percent percentage [burst ms ms] [peak-rate percent percentage] [peak-burst ms ms]

Syntax Description

units	Specifies the police rate. If the police rate is specified in packets per second (pps), the valid ranges of values are: •Cisco 10000 series router—Valid range is 1 to 500000 •Other platforms—Valid range is 1 to 2000000 If the police rate is specified in bps, the valid range of values is 8000 to 10000000000.
pps	Specifies that packets per seconds (pps) will be used to determine the rate at which traffic is policed.
burst burst-in-packets packets	(Optional) Specifies the burst rate, in packets, will be used for policing traffic. Valid ranges of values are: •Cisco 10000 series router—Valid range is 1 to 25000 •Other platforms—Valid range is 1 to 512000
peak-rate peak-rate-in-pps pps	(Optional) Specifies the peak information rate (PIR) will be used for policing traffic and calculating the PIR. Valid ranges of values are: •Cisco 10000 series router—Valid range is 1 to 500000 •Other platforms—Valid range is 1 to 512000
peak-burst peak-burst-in-packets packets	(Optional) Specifies the peak burst value, in packets, will be used for policing traffic. Valid ranges of values are: •Cisco 10000 series router—Valid range is 1 to 25000 •Other platforms—Valid range is 1 to 512000
conform-action action	(Optional) Specifies the action to take on packets that conform to the police rate limit. See the "Usage Guidelines" section for the actions you can specify.
exceed-action action	(Optional) Specifies the action to take on packets that exceed the rate limit. See the "Usage Guidelines" section for the actions you can specify.
violate-action action	(Optional) Specifies the action to take on packets that continuously exceed the police rate limit. See the "Usage Guidelines" section for the actions you can specify.
bps	(Optional) Specifies that bits per second (bps) will be used to determine the rate at which traffic is policed.
burst burst-in-bytes bytes	(Optional) Specifies the burst rate, in bits, will be used for policing traffic. Valid range is from 1000 to 512000000.
peak-rate peak-rate-in-bps bps	(Optional) Specifies the peak burst value, in bits, for the peak rate. Valid range is from 1000 to 512000000.
peak-burst peak-burst-in-bytes bytes	(Optional) Specifies the peak burst value, in bits, will be used for policing traffic. Valid range is from 1000 to 512000000.
percent	A percentage of interface bandwidth will be used to determine the rate at which traffic is policed.
percentage	Specifies the bandwidth percentage. Valid range is from 1 to 100.
burst ms ms	(Optional) Specifies the burst rate, in milliseconds, will be used for policing traffic. Valid range is from 1 to 2000.
peak-rate percent percentage	(Optional) Specifies a percentage of interface bandwidth will be used to determine the PIR. Valid range is from 1 to 100.
peak-burst ms ms	(Optional) Specifies the peak burst rate, in milliseconds, will be used for policing traffic. Valid range is from 1 to 2000.

Defaults

Disabled

Command Modes

Policy-map class configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.
12.2(18)SXD1	Support for this command was introduced on the Supervisor Engine 720.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.

Usage Guidelines

Use the police rate command to limit traffic that is destined for the control plane on the basis of pps, bps, or a percentage of interface bandwidth. If the police rate command is issued, but the a rate is not specified, traffic that is destined for the control plane is policed on the basis of bits per second (bps).

Cisco 10000 Series Router

Table 1 lists the actions you can specify for the conform-action, exceed-action, and violate-action keywords. You can specify only one action in a command line.

Table 1 Actions Keyword Options

Action	Description
drop	Drops the packet. This is the default action for traffic that exceeds or violates the committed police rate.
set-clp-transmit value	Sets the ATM Cell Loss Priority (CLP) bit to 1 on the ATM cell.
set-discard-class-transmit value	Sets the discard class attribute of a packet and transmits the packet with the new discard class setting. Valid values are from 0 to 7.
set-dscp-transmit value	Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value setting. Valid values are from 0 to 63.
set-dscp-tunnel-transmit value	Rewrites the tunnel packet DSCP and transmits the packet with the new tunnel DSCP value. Valid values are from 0 to 63.
set-frde-transmit	Sets the Frame Relay Discard Eligibility (DE) bit from 0 to 1 on the Frame Relay frame and transmits the packet with the DE bit set to 1.
set-mpls-exp-imposition-transmit value	Sets the Multiprotocol Label Switching (MPLS) experimental (EXP) bits in the imposed label headers and transmits the packet with the new MPLS EXP bit value setting. Valid values are from 0 to 7.
set-mpls-exp-transmit value	Sets the MPLS EXP field value in the MPLS label header at the input and/or output interfaces. Valid values are from 0 to 7.
set-prec-transmit value	Sets the IP precedence and transmits the packet with the new IP precedence value. Valid values are from 0 to 7.
set-prec-tunnel-transmit value	Sets the tunnel packet IP precedence and transmits the packet with the new IP precedence value. Valid values are from 0 to 7.
set-qos-transmit value	Sets the qos-group and transmits the packet with the new qos-group value. Valid values are from 0 to 63.
transmit	Transmits the packet. The packet is not altered.

Examples

The following example shows how to configure policing on a class to limit traffic to an average rate of 1,500,000 pps:

Router(config)# class-map telnet-class 

Router(config-cmap)# match access-group 140

Router(config-cmap)# exit

Router(config)# policy-map control-plane-policy

Router(config-pmap)# class telnet-class

Router(config-pmap-c)# police rate 1500000 pps burst 500000 packets 

Router(config-pmap-c)# exit

Cisco 10000 Series Router

The following example shows how to configure the action to take on packets that conform to the police rate limit:

Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 

Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 

Router(config)# access-list 140 permit tcp any any eq telnet 

Router(config)# class-map match-any pps-1 

Router(config-cmap)# match access-group 140 

Router(config-cmap)# exit 

Router(config)# policy-map copp-pps 

Router(config-pmap)# class pps-1 

Router(config-pmap)# police rate 10000 pps burst 100 packets peak-rate 10100 pps 
peak-burst 150 packets conform-action transmit 

Router(config-cmap)# exit 

Router(config)# control-plane 

Router(config-cp)# service-policy input copp-pps 

Router(config-cp)# exit 

Related Commands

Command	Description
policy-map	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
show policy-map	Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.

service-policy (control-plane)

To attach a policy map to a control plane for aggregate or distributed control plane services, use the service-policy command in control-plane configuration mode. To remove a service policy from a control plane, use the no form of this command.

service-policy {input | output} policy-map-name

no service-policy {input | output} policy-map-name

Syntax for Cisco 6500 Router, Cisco 7500 Series, Cisco 10720 Internet Router, and Cisco 10000 Series Router

service-policy input policy-map-name

no service-policy input policy-map-name

Syntax Description

input	Applies the specified service policy to packets that are entering the control plane.
output	Applies the specified service policy to packets that are exiting the control plane and enables the router to silently discard packets.
policy-map-name	Name of a service policy map (created using the policy-map command) to be attached. The name can be a maximum of 40 alphanumeric characters.

Command Default

No service policy is specified.

Command Modes

Control-plane configuration

Command History

Release	Modification
12.2(18)S	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T, and support for the output keyword was added.
12.0(29)S	This command was integrated into Cisco IOS Release 12.0(29)S.
12.2(18)SXD1	This command was integrated into Cisco IOS Release 12.2(18)SXD1.
12.2(25)S	Support for the output keyword was integrated into Cisco IOS Release 12.2(25)S.
12.2(27)SBC	This command was integrated into Cisco IOS Release 12.2(27)SBC.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.

Usage Guidelines

After entering the control-plane command, use the service-policy command to configure a quality of service (QoS) policy. This policy is attached to the control plane interface for aggregate or distributed control plane services, and controls the number or rate of packets that are going to the process level.

When you configure output policing on control-plane traffic, using the service-policy output policy-map-name command, a router is automatically enabled to silently discard packets. Output policing is supported as follows:

•Supported only in:

–Cisco IOS Release 12.2(25)S and later Cisco IOS 12.2S releases.

–Cisco IOS Release 12.3(4)T and later Cisco IOS 12.3T releases.

–Cisco IOS Release 12.2(18)SXD1 and later Cisco IOS 12.2SX releases.

•Not supported for attaching a QoS policy for distributed control-plane services.

•Not supported on the Cisco 6500 router, Cisco 7500 series, Cisco 10720 Internet router, and Cisco 10000 series router.

The service-policy output command configures output policing, which is performed in silent mode to silently discard packets exiting from the control plane according to the attached QoS policy. Silent mode allows a router that is running Cisco IOS software to operate without sending any system messages. If a packet that is exiting from the control plane is discarded for output policing, you do not receive an error message.

Silent mode allows a router that is running Cisco IOS software to operate without sending any system messages. If a packet that is destined for the router is discarded for any reason, users will not receive an error message. Some events that will not generate error messages are as follows:

•Traffic that is being transmitted to a port to which the router is not listening

•A connection to a legitimate address and port that is rejected because of a malformed request

Examples

The following example shows how to configure trusted hosts with source addresses 10.1.1.1 and 10.1.1.2 to forward Telnet packets to the control plane without constraint, while allowing all remaining Telnet packets to be policed at the specified rate:

! Allow 10.1.1.1 trusted host traffic.

Router(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet 

! Allow 10.1.1.2 trusted host traffic. 

Router(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet 

! Rate limit all other Telnet traffic.

Router(config)# access-list 140 permit tcp any any eq telnet

! Define class-map "telnet-class."

Router(config)# class-map telnet-class 

Router(config-cmap)# match access-group 140

Router(config-cmap)# exit

Router(config)# policy-map control-plane-policy

Router(config-pmap)# class telnet-class

Router(config-pmap-c)# police 80000 conform transmit exceed drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

! Define aggregate control plane service for the active Route Processor.

Router(config)# control-plane

Router(config-cp)# service-policy input control-plane-policy

Router(config-cp)# exit

The next example shows how to configure trusted networks with source addresses 10.0.0.0 and 10.0.0.2 to receive Internet Control Message Protocol (ICMP) port-unreachable responses without constraint, while allowing all remaining ICMP port-unreachable to be dropped:

! Allow 10.0.0.0 trusted network traffic.

Router(config)# access-list 141 deny icmp host 10.0.0.0 255.255.255.224 any 
port-unreachable 

! Allow 10.0.0.2 trusted network traffic.

Router(config)# access-list 141 deny icmp host 10.0.0.2 255.255.255.224 any 
port-unreachable 

! Rate limit all other ICMP traffic. 

Router(config)# access-list 141 permit icmp any any port-unreachable

Router(config)# class-map icmp-class 

Router(config-cmap)# match access-group 141

Router(config-cmap)# exit

Router(config)# policy-map control-plane-out-policy

! Drop all traffic that matches the class "icmp-class."

Router(config-pmap)# class icmp-class

Router(config-pmap-c)# drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

Router(config)# control-plane

! Define aggregate control plane service for the active route processor.

Router(config-cp)# service-policy output control-plane-out-policy 

Router(config-cp)# exit

Related Commands

Command	Description
control-plane	Enters control-plane configuration mode to apply a QoS policy to police traffic destined for the control plane.
policy-map	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
show policy-map control-plane	Displays the configuration of a class or all classes for the policy map attached to the control plane.

show policy-map control-plane

To display the configuration and statistics for a traffic class or all traffic classes in the policy maps attached to the control plane for aggregate and distributed control plane policing services, use the show policy-map control-plane command in privileged EXEC mode.

show policy-map control-plane [type policy-type] [all | slot slot-number] [host | transit | cef-exception] [{input | output} [class class-name]]

Syntax Description

type policy-type	(Optional) Specifies policy-map type for which you want statistics (for example, port-filter or queue-threshold).
all	(Optional) Displays information about all QoS policies used in aggregate and distributed CP services.
slot slot-number	(Optional) Displays information about the QoS policy used to perform distributed CP services on the specified line card.
host	(Optional) Displays policy-map and class-map statistics for the host subinterface.
transit	(Optional) Displays policy-map and class-map statistics for the transit subinterface.
cef-exception	(Optional) Displays policy-map and class-map statistics for the cef-exception subinterface.
input	(Optional) Displays statistics for the attached input policy.
output	(Optional) Displays statistics for the attached output policy. Note The output keyword is supported only in Cisco IOS Release 12.3(4)T and later Cisco IOS 12.3T releases.
class class-name	(Optional) Displays statistics for an individual traffic class.

Command Default

Information displays for all classes of the policy map of the control plane.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(18)S	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T, and support for the output keyword was added.
12.0(29)S	This command was integrated into Cisco IOS Release 12.0(29)S.
12.2(18)SXD1	This command was integrated into Cisco IOS Release 12.2(18)SXD1.
12.0(30)S	The slot slot-number parameter was added to support distributed CP services.
12.4(4)T	Support was added for the type policy-type keyword and argument combination, and for the host, transit, and cef-exception keywords.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.

Usage Guidelines

The show policy-map control-plane command displays information for aggregate and distributed control-plane policing services, which manage the number or rate of CP packets sent to the process level of the Route Processor.

Information for distributed control-plane service is displayed for a specified line card. Distributed CP services are performed on a line card's distributed switch engine and manage CP traffic sent from all interfaces on the line card to the route processor, where aggregate CP services (for CP packets received from all line cards on the router) are performed.

Examples

The following example shows that the policy map TEST is associated with the control plane. This policy map polices traffic that matches the class map TEST, while allowing all other traffic (that matches the class map called "class-default") to go through as is. Table 2 describes the significant fields shown in the display.

Router# show policy-map control-plane 

Control Plane 

Service-policy input:TEST

Class-map:TEST (match-all)

      20 packets, 11280 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match:access-group 101

      police:

        8000 bps, 1500 limit, 1500 extended limit

        conformed 15 packets, 6210 bytes; action:transmit

        exceeded 5 packets, 5070 bytes; action:drop

        violated 0 packets, 0 bytes; action:drop

        conformed 0 bps, exceed 0 bps, violate 0 bps

Class-map:class-default (match-any)

      105325 packets, 11415151 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match:any

Table 2 show policy-map control-plane Field Descriptions 

Field	Description
Fields Associated with Classes or Service Policies
Service-policy input	Name of the input service policy that is applied to the control plane. (This field will also show the output service policy, if configured.)
Class-map	Class of traffic being displayed. Traffic is displayed for each configured class. The choice for implementing class matches (for example, match-all or match-any) can also appear next to the traffic class.
offered rate	Rate, in kbps, at which packets are coming into the class.
drop rate	Rate, in kbps, at which packets are dropped from the class. The drop rate is calculated by subtracting the number of successfully transmitted packets from the offered rate.
Match	Match criteria for the specified class of traffic. For more information about the variety of match criteria options available, see the "Configuring the Modular Quality of Service Command-Line Interface" chapter in the Cisco IOS Quality of Service Solutions Configuration Guide.
Fields Associated with Traffic Policing
police	Indicates that the police command has been configured to enable traffic policing.
conformed	Displays the action to be taken on packets that conform to a specified rate. Displays the number of packets and bytes on which the action was taken.
exceeded	Displays the action to be taken on packets that exceed a specified rate. Displays the number of packets and bytes on which the action was taken.
violated	Displays the action to be taken on packets that violate a specified rate. Displays the number of packets and bytes on which the action was taken.

Cisco 10000 Series Router

The following example shows information for all QoS policies attached to the control plane. Table 2 describes the significant fields shown in the display.

Router# show policy-map control-plane all

Control Plane 

Service-policy input: copp_policy

Class-map: mfib_224 (match-any)

2400000 packets, 340800000 bytes

5 minute offered rate 6894000 bps, drop rate 4313000 bps

Match: ip precedence 2 

2400000 packets, 340800000 bytes

5 minute rate 6894000 bps

Police:

rate 5000 pps, 250 limit, peak-rate 7500 pps, 500 extended limit

conformed 600245 packets, 85234790 bytes; action: set-qos-transmit 2

exceeded 300247 packets, 42635074 bytes; action: transmit

violated 1499508 packets, 212930136 bytes; action: drop

Class-map: arp (match-any)

1200000 packets, 170400000 bytes

5 minute offered rate 3452000 bps, drop rate 2419000 bps

Match: protocol arp

1200000 packets, 170400000 bytes

5 minute rate 3452000 bps

Police:

rate 2500 pps, 250 limit, peak-rate 3000 pps, 500 extended limit

conformed 300248 packets, 42635216 bytes; action: transmit

exceeded 60250 packets, 8555500 bytes; action: transmit

violated 839502 packets, 119209284 bytes; action: drop

Class-map: fib_dest (match-any)

1200036 packets, 170402704 bytes

5 minute offered rate 3452000 bps, drop rate 870000 bps

Match: not protocol ipv6

1200036 packets, 170402704 bytes

5 minute rate 3452000 bps

Police:

rate 5000 pps, 250 limit, peak-rate 7500 pps, 500 extended limit

conformed 600255 packets, 85234909 bytes; action: transmit

exceeded 300245 packets, 42634721 bytes; action: transmit

violated 299536 packets, 42533074 bytes; action: drop

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any 

0 packets, 0 bytes

5 minute rate 0 bps 

Related Commands

Command	Description
control-plane	Enters control-plane configuration mode to apply a QoS policy to police traffic destined for the control plane.
service-policy (control-plane)	Attaches a policy map to the control plane for aggregate or distributed control-plane services.

Feature Information for Control Plane Policing

Table 2 lists the features in this module and provides links to specific configuration information.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

---

Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 2 Feature Information for Control Plane Policing

Feature Name	Releases	Feature Information
Control Plane Policing	12.0(29)S 12.0(30)S 12.0(32)S 12.2(18)S 12.2(18)SXD1 12.2(27)SBC 12.3(4)T 12.3(7)T 12.2(31)SB2	The Control Plane Policing feature was introduced to allow users to configure a QoS filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and DoS attacks. This feature was integrated into Cisco IOS Release 12.0(29)S. In 12.0(30)S, support for distributed control plane services on the Cisco 12000 series Internet router was added. In 12.0(32)S, support for aggregate control plane services on the Cisco 10720 Internet router was added. In 12.2(18)S, this feature was introduced. This feature was integrated into Cisco IOS Release 12.2(18)SXD1. This feature was integrated into Cisco IOS Release 12.2(27)SBC. This feature was integrated into Cisco IOS Release 12.3(4)T, and the output rate-limiting (silent mode operation) feature was added. In 12.3(7)T, CISCO-CLASS-BASED-QOS-MIB was extended to manage control plane QoS policies, and the police rate command was introduced to support traffic policing on the basis of packets per second for control plane traffic. This feature was introduced on the Cisco 10000 series router and integrated into Cisco IOS Release 12.2(31)SB2.

CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0609R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006 Cisco Systems, Inc. All rights reserved.