ME 3800x and ME 3600x Switches Software Configuration Guide, Release 15.2(4)S
Configuring Control Plane Policing (COPP)
Downloads: This chapterpdf (PDF - 154.0KB) The complete bookPDF (PDF - 11.82MB) | Feedback

Configuring Control Plane Policing (CoPP)

Table Of Contents

Configuring Control Plane Policing (CoPP)

Configuring CoPP

Example:

Monitoring CoPP

Clearing CoPP policy-map statistics

Removing CoPP Configuration

Example:

Changing Policier Rate for a Class

Example:


Configuring Control Plane Policing (CoPP)


The traffic managed by the RP is divided into four functional components or planes:

Data plane

Management plane

Control plane

Services Plane

The control plane policing (CoPP) feature increases security on the switch by protecting the RP from unnecessary or DoS traffic and giving priority to important control plane and management traffic.

The majority of traffic managed by the RP is handled by way of the control and management planes. You can use CoPP to protect the control and management planes, and ensure routing stability, reachability, and packet delivery. CoPP uses a dedicated control plane configuration through the modular QoS CLI (MQC) and the platform dependent CLI to provide filtering and rate-limiting capabilities for the control plane packets.

The switch has default egress policers installed for each of the 20 CPU queues. See Table 34-1 for details of the default rates for CPU.

Table 34-1 Options for Input and Output Policies 

Queue Name
Priority
Policer
Software queue number
ASPDMA num of descriptors
ASPDMA num of buffers
ASPDMA Size of Buffers In bytes
H/w queue no
H/w Buffer Size in bytes
Red Thresh in bytes
   
CIR in bps
Burst(bc) in bytes
             

Software Forwarding

Normal

1000000

1000000

0

128

512

512

18176

320

40960

Routing Protocol

High

1000000

100000

1

128

512

512

18177

320

40960

ICMP

Normal

1000000

100000

2

128

512

512

18178

320

40960

Host

Normal

20000000

500000

3

128

512

512

18179

320

40960

ACL Logging

Normal

1000000

100000

4

128

512

512

18180

320

40960

STP

Expedite

1000000

100000

5

128

512

512

18181

320

40960

L2 Protocol

Normal

1000000

100000

6

128

512

512

18182

320

40960

Multicast Control

Normal

1000000

100000

7

128

1024

1024

18183

320

40960

Broadcast

Normal

1000000

100000

8

128

512

512

18184

320

40960

REP

Expedite

1000000

100000

9

128

512

512

18185

320

40960

CFM

High

1000000

100000

10

128

512

512

18186

320

40960

Control

Normal

1000000

100000

11

128

512

512

18187

320

40960

IP Options

High

1000000

100000

12

128

512

512

18188

320

40960

Multicast Default

Normal

64000

64000

13

128

512

512

18189

320

40960

Multicast Route Data

Normal

64000

64000

14

128

512

512

18190

320

40960

Multicast Mismatch

Low

1000000

100000

15

128

512

512

18191

320

40960

RPF Failed

Low

32000

32000

16

128

512

512

18192

320

40960

Routing Throttle

Normal

1000000

100000

17

128

512

512

18193

320

40960

Multicast Queue

Normal

1000000

100000

18

128

512

512

18194

320

40960

MPLS OAM

High

20000000

500000

19

128

512

512

18195

320

40960

MPLS MTU

Normal

1000000

100000

20

128

512

512

18196

320

40960


Configuring CoPP

CoPP uses MQC to define traffic classification criteria and to specify the configurable policy actions for the classified traffic. You must first identify the traffic to be classified by defining a class map. The class map defines packets for a particular traffic class. After you have classified the traffic, you can create policy maps to enforce policy actions for the identified traffic. The control-plane global configuration command allows the CoPP service policies to be directly attached to the control plane.

To modify the rates for input and output policies show in Table 34-1 Options for Input and Output Policies, use the platform qos policer cpu queue queue-num cir | cb command.

To check or clear the policier statistics for a particular CPU queue use the show platform qos policer cpu queue queue-number 0 | 1 command.


Note Before using the platform qos policer cpu queue and show platform qos policer commands, run the service internal command.


To configure CoPP, perform this task:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

mac access-list extended name

Create a Layer 2 MAC ACL by specifying the name of the list and enter extended MAC ACL configuration mode.

Step 3 

permit {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask]

Always use the permit keyword for ACLs used as match criteria in QoS policies.

For dst-MAC-addr, enter the MAC address of the host to which the packet is being sent. You can specify in hexadecimal format (H.H.H), use the any keyword for source 0.0.0, source-wildcard ffff.ffff.ffff, or use the host keyword for source 0.0.0.

Note Only STP MAC based classification is supported on the switch.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

class-map class-map-name

Creates a class map.

Step 6 

match access-group name access-group-name

Configures matching in the class map.

Step 7 

policy-map policy-map-name

Create a policy map by entering the policy map name, and enter policy-map configuration mode.

Step 8 

class {class-map-name | class-default}

Creates a policy map class.

Enter a class-map name, to match all unclassified packets, and enter policy-map class configuration mode. If you enter a class-map name, you must have already created the class map by using the class-map global configuration command.

Note class-default keyword is not supported on the switch.

Step 9 

police {rate-bps | cir {cir-bps [burst-bytes] [bc burst-bytes]| percent percent [burst-ms] [bc burst-ms]} }

Configure a traffic policer based on the traffic rate or committed information rate (CIR). By default, no policer is defined.

For rate-bps, specify average traffic rate in bits per second (b/s). The range is 64000 to 10000000000.

For cir cir-bps, specify a committed information rate (CIR) in bits per second (b/s). The range is 32000 to 10000000000.

For burst-bytes (optional), specify the normal burst size in bytes. The range is 8000 to 16000000.

For bc burst-bytes (optional), specify the conformed burst (bc) or the number of acceptable burst bytes. The range is 8000 to 16000000.

For burst-ms (optional), enter the conform burst size in milliseconds. The range is 1 to 2000. The default is 250 ms.

For bc burst-ms (optional), specify the conformed burst (bc) in milliseconds. The range is 1 to 2000.

Note cir percent percent option is not supported on the switch.

If you are configuring a single action for conformed and exceeded packets, you can specify them in the same line as the police command. If configuring multiple actions, press ENTER after the police command, and enter policy-map class police configuration mode (config-pmap-c-police) mode to specify the actions to take.

Step 10 

end

Return to privileged EXEC mode.

Step 11 

control-plane

Enter the control plane configuration mode.

Step 12 

service-policy input service-policy-name

Apply the QoS service policy to the control plane.

Example:

The following example shows a MAC access-list with a permit rule configured to allow STP packets (DMAC as STP MAC), a class-map is configured to match on the access-list, and linked to a policy. Define a police rate, and attach the policy to the control plane

Switch#configure terminal
Switch(config)#mac access-list extended copp-stp
Switch(config-ext-macl)#permit any 0180.c200.0000 0000.0000.0000 
Switch(config-ext-macl)#exi
Switch(config)#class-map copp-stp 
Switch(config-cmap)#match access-group name copp-stp
Switch(config)#policy-map copp
Switch(config-pmap)#class copp-stp
Switch(config-pmap-c)#police cir 5m
Switch(config-pmap-c-police)#end
Switch(config)#control-plane 
Switch(config-cp)#service-policy input copp
Switch(config-cp)#end

When defining the packet classification criteria, follow these guidelines and restrictions:

To avoid matching the filtering and policing that are configured in a subsequent class, configure policing in each class. CoPP does not apply the filtering in a class that does not contain a police command. A class without a police command matches no traffic.

The ACLs used for classification are QoS ACLs. The supported QoS ACLs are IP standard, extended, and named.

Only IP ACLs are supported in hardware.

MAC-based matching is done in software only.

You can enter one match command in a single class map only.

When defining the service policy, the police policy-map action is the only supported action.

When applying the service policy to the control plane, the input direction is only supported.

Hierarchical policy maps are not supported for control plane policies.

Only one match criterion in supported in the control-plane classes, multiple match criterion cannot be configured. We do not support multiple protocols to be matched in the same class for a CoPP policy, please ensure that one class is configured with the match rules for only one protocol.

Only 1rate 2 color policer are supported on a class in a CoPP policy. Only transmit and drop actions are supported.

Classes without a policer for CoPP are not supported, you must attach a policer to each class inside a CoPP policy.

Once a policy is attached to the control-plane, do not modify the ACLs linked to it, or the match criterion in the classes. Detach the policy, then modify the ACLs or class and re-attach the policy to the control plane.

The class-default on the CoPP policy does not support policing/stats, all the packets that do not get classified into the CoPP protocol classes will be policed at the policing rate of the corresponding CPU queue that they take.

Monitoring CoPP

You can enter the show policy-map control-plane command for developing site-specific policies, monitoring statistics for the control plane policy, and troubleshooting CoPP. This command displays dynamic information about the actual policy applied, including rate information and the number of bytes (and packets) that conformed or exceeded the configured policies both in hardware and in software.

The output of the show policy-map control-plane command is as follows:

Switch#show policy-map control-plane 
 Control Plane 
 
   
  Service-policy input: copp
 
   
    Class-map: copp-icmp (match-all)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name copp-icmp
      police:
        cir 4000000 bps, bc 125000 bytes
        conform-action transmit
        exceed-action drop
      conform: 0 (packets) 0 (bytes) 
      exceed: 0 (packets) 0 (bytes)
      conform: 0 bps, exceed: 0 bps
 
   
    Class-map: class-default (match-any)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any

Clearing CoPP policy-map statistics

To clear CoPP policy-map statistics, use the clear control-plane command:

Switch#clear control-plane 

Removing CoPP Configuration

To remove the CoPP configuration, detach the service-policy from the control-plane using the following steps:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

control-plane

Enter the control plane configuration mode.

Step 3 

no service-policy input service-policy-name

Remove the QoS service policy from the control plane.

Example:

Switch#configure terminal
Switch(config)#control-plane 
Switch(config-cp)#no service-policy input copp 

Changing Policier Rate for a Class

When a service-policy is attached to the control-plane, a class can be added to it and a policer attached to it. Classes can be removed from a policy-map that is attached to the control-plane.

Removing a class from the control-plane policy, or detaching the policy-map will lead to the protocol being policed at the default rate of the CPU queue it takes.

To change the policer rate for a class, change the configuration as follows:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

policy-map policy-map-name

Create a policy map by entering the policy map name, and enter policy-map configuration mode.

Step 3 

class {class-map-name | class-default}

Creates a policy map class.

Enter a class-map name, to match all unclassified packets, and enter policy-map class configuration mode. If you enter a class-map name, you must have already created the class map by using the class-map global configuration command.

class-default keyword is not supported on the switch.

Step 4 

police {rate-bps | cir {cir-bps [burst-bytes] [bc burst-bytes]| percent percent [burst-ms] [bc burst-ms]} }

Configure a traffic policer based on the traffic rate or committed information rate (CIR). By default, no policer is defined.

For rate-bps, specify average traffic rate in bits per second (b/s). The range is 64000 to 10000000000.

For cir cir-bps, specify a committed information rate (CIR) in bits per second (b/s). The range is 32000 to 10000000000.

For burst-bytes (optional), specify the normal burst size in bytes. The range is 8000 to 16000000.

For bc burst-bytes (optional), specify the conformed burst (bc) or the number of acceptable burst bytes. The range is 8000 to 16000000.

For burst-ms (optional), enter the conform burst size in milliseconds. The range is 1 to 2000. The default is 250 ms.

For bc burst-ms (optional), specify the conformed burst (bc) in milliseconds. The range is 1 to 2000.

Note cir percent percent option is not supported on the switch.

If you are configuring a single action for conformed and exceeded packets, you can specify them in the same line as the police command. If configuring multiple actions, press ENTER after the police command, and enter policy-map class police configuration mode (config-pmap-c-police) mode to specify the actions to take.

Example:

Switch#configure terminal
Switch(config)#policy-map copp
Switch(config-pmap)#class copp-icmp
Switch(config-pmap-c)#police cir 7m
Switch(config-pmap-c-police)#end