Lab - CoPP and LPTS

Use any CSR1000v and XRv9K for this lab. This will not work on XRv or XRd.

On the CSR1000v, configure CoPP so that ICMP exceeding 64kbps is dropped, and SSH exceeding 32kbps is dropped. However, do not drop any packets from the mgmt station at 2.2.2.2.

On XRv9K, configure local ICMP to be policed at 10 pps and unestablished SSH to be policed at 20 pps.

Answer

#IOS-XE
ip access-list extended ICMP
 10 deny   ip host 2.2.2.2 any
 20 deny   ip any host 2.2.2.2
 30 permit icmp any any
ip access-list extended SSH
 10 deny   ip host 2.2.2.2 any
 20 deny   ip any host 2.2.2.2
 30 permit tcp any any eq 22
 40 permit tcp any eq 22 any
!
class-map match-all ICMP
 match access-group name ICMP
class-map match-all SSH
 match access-group name SSH
!
policy-map COPP
 class ICMP
  police 64 k
 class SSH
  police 32 k
!
control-plane
 service-policy input COPP

#IOS-XR
lpts pifib hardware police flow icmp local rate 10
lpts pifib hardware police flow ssh default rate 20

Explanation

CoPP on IOS-XE simply applies QoS policies to the control-plane as if it was a virtual interface. In order to not rate limit traffic from host 2.2.2.2, we can either deny it in every ACL, or we could create a separate class at the top of the policy-map and not police it. Note that it seems that we must deny it as a destination for some reason to get it to work. To be safe we can just always deny it both as a host and destination.

LPTS on IOS-XR allows us to define policing rate limits for pre-determined flows. The LPTS process automatically classifies these flows for us, so all we need to use is use the pre-defined flow type. We limit local ICMP to 10 pps and default SSH to 20 pps. “Known” SSH means an SSH session that is already established. So “default” SSH is unestablished SSH flows.

We can confirm the LPTS policing rates using the following show command:

The above output shows us that 10 ICMP local packets have been accepted and 5 have been dropped.