Control Plane Protection; Control Plane Packet Types - Cisco Nexus 9000 Series Configuration Manual

Control Plane Protection

Control plane
Management plane
The supervisor module has both the management plane and control plane and is critical to the operation of
the network. Any disruption or attacks to the supervisor module will result in serious network outages. For
example, excessive traffic to the supervisor module could overload and slow down the performance of the
entire Cisco NX-OS device. For example, a DoS attack on the supervisor module could generate IP traffic
streams to the control plane at a very high rate, forcing the control plane to spend a large amount of time in
handling these packets and preventing the control plane from processing genuine traffic.
Examples of DoS attacks include:
• Internet Control Message Protocol (ICMP) echo requests
• IP fragments
• TCP SYN flooding
These attacks can impact the device performance and have the following negative effects:
• Reduced service quality (such as poor voice, video, or critical applications traffic)
• High route processor or switch processor CPU utilization
• Route flaps due to loss of routing protocol updates or keepalives
• Unstable Layer 2 topology
• Slow or unresponsive interactive sessions with the CLI
• Processor resource exhaustion, such as the memory and buffers
• Indiscriminate drops of incoming packets
Caution It is important to ensure that you protect the supervisor module from accidental or malicious attacks by
configuring control plane protection.
Control Plane Protection
To protect the control plane, the Cisco NX-OS device segregates different packets destined for the control
plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets,
which ensures that the supervisor module is not overwhelmed.

Control Plane Packet Types

Different types of packets can reach the control plane:
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
454
Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP)
and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets
are destined to router addresses and are called control plane packets.
Runs the components meant for Cisco NX-OS device management purposes such as the command-line
interface (CLI) and Simple Network Management Protocol (SNMP).
Configuring Control Plane Policing