Cisco-COPP-ASR1001
Материал из noname.com.ua
Версия от 12:15, 2 июля 2024; Sirmax (обсуждение | вклад)
Control Plane Policing (CoPP) (на примере ASR1001)
Общая идея работы:
- ACL описывают разрешенные сети/порты
- Class-map просто обертка над ACL никакой дополнительной логики они не вносят
- Policy-map объединяет правило в список, сначала запрещяющие правила потом разрешить все что не запрещено
Если запретить "все что не разрешено", то прийдется повозиться с разрешениями - например сходу отломался LACP когда я попробовал такую схему.
Ссылки и примеры
- на руском но не релевантно ASR1000: http://ciscomaster.ru/content/bezopasnost-nachalo-13-bezopasnost-i-control-plane
- https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/sec_control_plane/configuration/guide/2_xe/cps_xe_book/ctrl_plane_policng_xe.html
- https://freenetworktutorials.com/control-plane-policing-copp-configuration-in-cisco-ios/
Очистка
Перед настройкой удалить существующие настройки
control-plane no service-policy input POLICY_MAP_COPP_INPUT_POLICY exit no policy-map POLICY_MAP_COPP_INPUT_POLICY
ACL
Особенность ACL:
так как все что попадет под permit, после попадет в соответствующий class-map то
ACL вывернут на изнанку - deny означает "разрешить" (исключить из class-map и направить в разрешающее правило)
ip access-list extended ACCESS_LIST_COPP_TELNET
deny tcp any any establishedразрешить уже установленные соединения
no ip access-list extended ACCESS_LIST_COPP_TELNET ip access-list extended ACCESS_LIST_COPP_TELNET deny tcp any any established permit tcp any any eq telnet exit
ip access-list extended ACCESS_LIST_COPP_SSH
no ip access-list extended ACCESS_LIST_COPP_SSH ip access-list extended ACCESS_LIST_COPP_SSH deny tcp any any established permit tcp any any eq 22 exit
ip access-list extended ACCESS_LIST_COPP_SNMP
no ip access-list extended ACCESS_LIST_COPP_SNMP ip access-list extended ACCESS_LIST_COPP_SNMP deny udp 172.31.100.0 0.0.0.255 any eq snmp deny udp 10.72.0.0 0.0.0.255 any eq 161 permit udp any any eq 161 exit
ip access-list extended ACCESS_LIST_COPP_BGP
no ip access-list extended ACCESS_LIST_COPP_BGP ip access-list extended ACCESS_LIST_COPP_BGP deny tcp any any established deny tcp 172.31.0.0 0.0.0.255 any eq 179 permit tcp any any eq 179 exit
ip access-list extended ACCESS_LIST_COPP_RADIUS
no ip access-list extended ACCESS_LIST_COPP_RADIUS ip access-list extended ACCESS_LIST_COPP_RADIUS deny udp 172.31.0.0 0.0.0.255 any eq 1812 deny udp 172.31.0.0 0.0.0.255 any eq 1813 deny udp 100.100.100.0 0.0.0.255 any eq 1812 deny udp 100.100.100.0 0.0.0.255 any eq 1813 permit tcp any any eq 1812 permit tcp any any eq 1813 exit
class-map
class-map CLASS_MAP_COPP_TELNET
no class-map CLASS_MAP_COPP_TELNET class-map CLASS_MAP_COPP_TELNET match access-group name ACCESS_LIST_COPP_TELNET exit
class-map CLASS_MAP_COPP_SSH
no class-map CLASS_MAP_COPP_SSH class-map CLASS_MAP_COPP_SSH match access-group name ACCESS_LIST_COPP_SSH exit
class-map CLASS_MAP_COPP_SNMP
no class-map CLASS_MAP_COPP_SNMP class-map CLASS_MAP_COPP_SNMP match access-group name ACCESS_LIST_COPP_SNMP exit
class-map CLASS_MAP_COPP_BGP
no class-map CLASS_MAP_COPP_BGP class-map CLASS_MAP_COPP_BGP match access-group name ACCESS_LIST_COPP_BGP exit
class-map CLASS_MAP_COPP_RADIUS
no class-map CLASS_MAP_COPP_RADIUS class-map CLASS_MAP_COPP_RADIUS match access-group name ACCESS_LIST_COPP_RADIUS exit
policy-map POLICY_MAP_COPP_INPUT_POLICY
policy-map разбита на части для удобства восприятия
- Строчка
police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action dropэквивалентно действиюdropтак как на некоторых платформах это действие недоступно
- Удалить и заново добавить
policy-map
no policy-map POLICY_MAP_COPP_INPUT_POLICY policy-map POLICY_MAP_COPP_INPUT_POLICY
telnet
! Deny telnet class CLASS_MAP_COPP_TELNET police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit
ssh
! Deny ssh class CLASS_MAP_COPP_SSH police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit
snmp
! Deny SNMP class CLASS_MAP_COPP_SNMP police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit !
BGP
! Deny BGP class CLASS_MAP_COPP_BGP police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit !
Radius
! Deny RADIUS class CLASS_MAP_COPP_RADIUS police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop exit exit !
Остальной траффик
! Permit other (include LACP) class class-default police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit violate-action transmit exit exit exit
control-plane
control-plane no service-policy input POLICY_MAP_COPP_INPUT_POLICY service-policy input POLICY_MAP_COPP_INPUT_POLICY exit
Port Knock
ip access-list extended KNOCK_TCP_32022 remark *** KNOCK *** permit tcp any host 172.31.100.194 eq 32022 log remark *** PERMITED *** permit ip any any exit
event manager environment KNOCK_ACL_SSH ACCESS_LIST_COPP_SSH
event manager environment KNOCK_ACL_TELNET ACCESS_LIST_COPP_TELNET
no event manager applet KNOCK_TELNET_SSH
event manager applet KNOCK_TELNET_SSH
event syslog pattern "%FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list KNOCK_TCP_32022 permitted tcp *"
!
action 001.0 regexp "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" "$_syslog_msg" ADDR
action 001.1 regexp "\([0-9]+\)," "$_syslog_msg" PORT
action 001.2 regexp "[0-9]+" "$PORT" PORT
!
action 002.0 syslog msg "Received a knock from $ADDR on port $PORT..."
!
action 002.1 syslog msg "Adding $ADDR to the $KNOCK_ACL_SSH ACL"
!
action 003.0 cli command "enable"
action 003.1 cli command "configure terminal"
action 003.2 cli command "ip access-list extended $KNOCK_ACL_SSH"
action 003.3 cli command "1 deny tcp host $ADDR any eq 22"
action 003.4 cli command "end"
action 003.5 cli command " "
!
action 004.0 syslog msg "Added $ADDR to the $KNOCK_ACL_SSH ACL"
!
action 004.1 syslog msg "Adding $ADDR to the $KNOCK_ACL_TELNET ACL"
!
action 005.0 cli command "enable"
action 005.1 cli command "configure terminal"
action 005.4 cli command "ip access-list extended $KNOCK_ACL_TELNET"
action 005.5 cli command "1 deny tcp host $ADDR any eq telnet"
action 005.6 cli command "end"
!
action 006.0 syslog msg "Added $ADDR to the $KNOCK_ACL_TELNET ACL"
action 006.1 syslog msg "Waiting for 20 sec before deleting rules"
!
action 007.0 wait 20
!
action 008.0 syslog msg "Wait finished"
!
action 008.1 syslog msg "Removing $ADDR from the $KNOCK_ACL_SSH ACL"
!
action 009.0 cli command "enable"
action 009.1 cli command "configure terminal"
action 009.2 cli command "ip access-list extended $KNOCK_ACL_SSH"
action 009.3 cli command "no deny tcp host $ADDR any eq 22"
action 009.4 cli command "end"
!
action 010.0 syslog msg "Removed $ADDR to the $KNOCK_ACL_SSH ACL"
!
action 010.0 syslog msg "Removing $ADDR to the $KNOCK_ACL_TELNET ACL"
!
action 011.0 cli command "enable"
action 011.1 cli command "configure terminal"
action 011.2 cli command "ip access-list extended $KNOCK_ACL_TELNET"
action 011.3 cli command "no deny tcp host $ADDR any eq telnet"
action 011.4 cli command "end"
!
action 012.0 syslog msg "Removed $ADDR from the $KNOCK_ACL_TELNET ACL"
exit
