http://s16/mw690/003cgf5Nzy6I9wFpRQb7f&690COPP/CPPR 配置思路" TITLE="CISCO COPP/CPPR 配置思路" />

Control-plane protection (实例一：Flow-Control)

一、定义允许Telnet/SSH的流量

FW(config)#ip access-list extended ssh.telnet

FW(config-ext-nacl)#deny tcp 202.100.1.0 0.0.0.255 any eq 22

FW(config-ext-nacl)#deny tcp 202.100.1.0 0.0.0.255 any eq 23

FW(config-ext-nacl)#permit tcp any any eq 23

FW(config-ext-nacl)#permit tcp any any eq 22

二、定义CLASS-MAP,匹配ACL流量

FW(config)#class-map match-all control.ssh.telnet

FW(config-cmap)#match access-group name ssh.telnet

FW(config-cmap)#exit

三、定义POLICY-MAP，匹配CLASS-MAP，并将非法访问流量干掉

FW(config)#policy-map control.ssh.telnet

FW(config-pmap)#class control.ssh.telnet

FW(config-pmap-c)#drop

四、control-plane调用POLICY-MAP

FW(config-cp)#service-policy input control.ssh.telnet

 

 

Control-plane policing(实例二:FLOW-limit)

 

一、定义匹配ICMP流量的ACL

ip access-list extended control.ICMP

 permit icmp any any

!

二、定义CLASS-MAP,匹配ACL流量

class-map match-all control.ICMP

 match access-group name control.ICMP

三、定义POLICY-MAP，匹配CLASS-MAP,设置限速，每秒只允许一个数据包

policy-map control.ICMP

 class control.ICMP

   police rate 1 pps burst 1 packets

     conform-action transmit

     exceed-action drop

四、control-plane调用POLICY-MAP

control-plane

 service-policy input control.ICMP

 

http://s1/mw690/003cgf5Nzy6IaKvcWKk70&690COPP/CPPR 配置思路" TITLE="CISCO COPP/CPPR 配置思路" />

Control-plane protection (实例三:port-filter)

 

FW#show control-plane host open-ports

Active internet connections (servers and established)

Prot        Local Address      Foreign Address                  Service    State

 tcp                 *:22                  *:0               SSH-Server   LISTEN

 tcp                 *:23                  *:0                   Telnet   LISTEN

 tcp                 *:23    202.100.1.1:24125                   Telnet ESTABLIS

 

一、定义CLASS-MAP,匹配常见黑客攻击端口；

 

FW(config)#class-map type port-filter match-any  cppr.class

FW(config-cmap)#match port tcp 23

FW(config-cmap)#match closed-ports

FW(config-cmap)#match ?

  closed-ports  All the closed ports on the router

  not           Negate this match result

  port          TCP/UDP port number

二、定义POLICY-MAP，匹配CLASS-MAP,设置限速，对攻击端口进行屏蔽；

FW(config)#policy-map type  port-filter cppr.policy

FW(config-pmap)#class cppr.class

FW(config-pmap-c)#drop

FW(config-pmap-c)#exit

FW(config-pmap)#exit

三、定义control-plane  host 调用POLICY-MAP

FW(config)#control-plane host

FW(config-cp-host)#service-policy type port-filter in  cppr.policy

 

Control-plane protection (实例四:queue-threshold)

 

一、定义CLASS-MAP,匹配需做限制的协议

 

class-map type queue-threshold match-any cppr.queue

 match  protocol telnet

 

二、定义POLICY-MAP，限制Telnet协议，占整个输入队列的数据包的个数；

 

policy-map type queue-threshold cppr.queue

 class cppr.queue

   queue-limit 5

三、定义control-plane  host 调用POLICY-MAP

 

control-plane host

 service-policy type queue-threshold input cppr.queue

 

FW#show policy-map  type queue-threshold control-plane host

      queue-limit 5

      queue-count 5     packets allowed/dropped 75/69

 Control Plane Host

 

  Service-policy queue-threshold input: cppr.queue

 

    Class-map: cppr.queue (match-any)

      144 packets, 9530 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match:  protocol telnet

        144 packets, 9530 bytes

        5 minute rate 0 bps

 

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps