Configuring Control Plane Policing

Available Languages

Download Options

  • PDF     (496.4 KB)
    View with Adobe Reader on a variety of devices
Updated:October 17, 2011

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configuring Control Plane Policing

Configuring Control Plane Policing

This chapter describes how to configure Control Plane Policing (CoPP) on a Cisco NX-OS device.

This chapter includes the following sections:

Information About CoPP

Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, thereby ensuring network stability, reachability, and packet delivery.

This feature allows a policy map to be applied to the control plane. This policy map looks like a normal QoS policy and is applied to all traffic destined to any of the IP addresses of the router or Layer 3 switch. A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device interfaces.

The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the route processor itself.

The supervisor module divides the traffic that it manages into three functional components or planes:

Data plane
Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.
Control plane
Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.
Management plane
Runs the components meant for Cisco NX-OS device management purposes such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP).

The supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption or attacks to the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. Attacks on the supervisor module can be of various types such as DoS that generates IP traffic streams to the control plane at a very high rate. These attacks force the control plane to spend a large amount of time in handling these packets and prevents the control plane from processing genuine traffic.

Examples of DoS attacks are as follows:

  • Internet Control Message Protocol (ICMP) echo requests
  • IP fragments
  • TCP SYN flooding

These attacks can impact the device performance and have the following negative effects:

  • Reduced service quality (such as poor voice, video, or critical applications traffic)
  • High route processor or switch processor CPU utilization
  • Route flaps due to loss of routing protocol updates or keepalives
  • Unstable Layer 2 topology
  • Slow or unresponsive interactive sessions with the CLI
  • Processor resource exhaustion, such as the memory and buffers
  • Indiscriminate drops of incoming packets

Caution
It is important to ensure that you protect the supervisor module from accidental or malicious attacks by setting appropriate control plane protection.

Control Plane Protection

To protect the control plane, the Cisco NX-OS device segregates different packets destined to the control plane into different classes. Once these classes are identified, the Cisco NX-OS device polices or marks down packets, which ensure that the supervisor module is not overwhelmed.

Control Plane Packet Types

Different types of packets can reach the control plane:

Receive packets
Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router.
Exception packets
Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, then the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set.
Redirected packets
Packets that are redirected to the supervisor module. Features like Dynamic Host Configuration Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.
Glean packets
If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.

All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets.

Classification

For effective protection, the Cisco NX-OS device classifies the packets that reach the supervisor modules to allow you to apply different rate controlling policies based on the type of the packet. For example, you might want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent to the supervisor module because the IP option is set. The following parameters that can be used for classifying a packet:

  • Source IP address
  • Destination IP address
  • Source port
  • Destination port
  • Layer 4 Protocol

Rate Controlling Mechanisms

Once the packets are classified, the Cisco NX-OS device has different mechanisms to control the rate at which packets arrive at the supervisor module. Two mechanisms control the rate of traffic to the supervisor module. One is called policing and the other is called rate limiting.

Using hardware policers, you can define separate actions for traffic that conforms to, exceeds, or violates certain conditions. The actions can transmit the packet, mark down the packet, or drop the packet.

You can configure the following parameters for policing:

Packets Per Second (PPS)

Desired bandwidth specified in terms of packets per second.

-

Default Policing Policies

When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default copp-system-policy to protect the supervisor module from DoS attacks. This is the only control plane policy map in the system and cannot be modified or deleted.

This policy is a Layer 2 and Layer 3 policy which provides a good balance of policing between switched and routed traffic bound to CPU and is suitable for basic device operations.

Related Tasks

CoPP and the Management Interface

The Cisco NX-OS device supports only hardware-based CoPP which does not support the management interface (mgmt0). The out-of-band mgmt0 interface connects directly to the CPU and does not pass through the in-band traffic hardware where CoPP is implemented. To limit traffic on the mgmt0 interface, use ACLs.

Related Information

Licensing Requirements for CoPP

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco NX-OS

CoPP requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Guidelines and Limitations for CoPP

CoPP has the following configuration guidelines and limitations:

  • The copp-system-policy is the default control plane policy map and is the only control plane policy map in the system. It cannot be modified or deleted, although the pps values for static and dynamic classes are editable.
  • The total pps value for all of the classes in the system cannot exceed 22800 pps.
  • There are two types of class maps: static and dynamic.
    Static class maps

    These maps are created by the system and cannot be deleted.

    For example, copp-s-bpdu is a static class map.

    Dynamic class maps

    These maps are either pre-created by the system or created by users, and can be deleted. If required, new dynamic class maps can be created and added to the copp-system-policy.

    For example, copp-ntp is a dynamic class map.

    You can view the class-to-hardware queue mapping for your system by entering the show system internal copp info command.

    Note

    When you issue the show system internal copp info command, the NX-OS CLI displays two mapping tables: one for the currently running configuration and another for the static class-to-queue mapping for the current build.

    If there are any extra static classes in the build table, it means that the system was upgraded without erasing the previous configuration. To map the new default static classes to the new static class map, enter the setup command in the Nexus CLI.

  • Customizing CoPP is an ongoing process. CoPP must be configured according to the protocols and features used in your specific environment as well as the supervisor features that are required by the server environment. As these protocols and features change, CoPP must be modified.
  • Cisco recommends that you continuously monitor CoPP. If drops occur, determine if CoPP dropped traffic unintentionally or in response to a malfunction or attack. In either event, analyze the situation and evaluate the need to modify the CoPP policies.
  • All the traffic that you do not specify in the other class maps is put into the last class, the default class. Monitor the drops in this class and investigate if these drops are based on traffic that you do not want or the result of a feature that was not configured and you need to add.
  • The ACL that is attached to a static or dynamic class map can be deleted or modified. Only one ACL needs to be configured under a class map. But there can be multiple ACEs in a single ACL.
  • ACLs attached to static and dynamic class maps can be modified or deleted.
  • You can use the statistics per-entry command in the ACL configuration mode to start logging hit counts per ACL entry.
  • The Cisco NX-OS software does not support egress CoPP or silent mode. CoPP is supported only on ingress (service-policy output CoPP cannot be applied to the control plane interface).
  • You can use the access control entry (ACE) hit counters in the hardware only for ACL logic. Use the software ACE hit counters and the show access-lists and show policy-map type control-plane commands to evaluate CPU traffic.

Note

If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Configuring CoPP

This section describes how to configure CoPP.

Configuring a Control Plane Class Map

You must configure control plane class maps for control plane policies.

You can classify traffic by matching packets based on existing ACLs. The permit and deny ACL keywords are ignored in the matching.

You can configure policies for IP version 4 (IPv4) packets. IP version 6 (IPv6) packets are not supported.

Before You Begin

Ensure that you have configured the IP ACLs if you want to use ACE hit counters in the class maps.

SUMMARY STEPS

    1.    configure terminal

    2.    class-map type control-plane [match-all | match-any] class-map-name

    3.    (Optional) match access-group name access-list-name

    4.    exit

    5.    (Optional) show class-map type control-plane [class-map-name]

    6.    (Optional) copy running-config startup-config


DETAILED STEPS
      Command or Action Purpose
    Step 1 configure terminal


    Example: 
    switch# configure terminal
switch(config)#
     

    Enters global configuration mode.

     
    Step 2 class-map type control-plane [match-all | match-any] class-map-name


    Example: 
    switch(config)# class-map type control-plane ClassMapA
switch(config-cmap)#
     

    Specifies a control plane class map and enters class map configuration mode. The default class matching is match-any. The name can be a maximum of 64 characters long and is case sensitive.

    Note   

    You cannot use class-default, match-all, or match-any as class map names.
     
    Step 3 match access-group name access-list-name


    Example: 
    switch(config-cmap)# match access-group name MyAccessList
          		(Optional)

    Specifies matching for an IP ACL.

    Note   

    The permit and deny ACL keywords are ignored in the CoPP matching.
     
    Step 4 exit


    Example: 
    switch(config-cmap)# exit
switch(config)#
     

    Exits class map configuration mode.

     
    Step 5 show class-map type control-plane [class-map-name]


    Example: 
    switch(config)# show class-map type control-plane
          		(Optional)

    Displays the control plane class map configuration.

     
    Step 6 copy running-config startup-config


    Example: 
    switch(config)# copy running-config startup-config
          		(Optional)

    Copies the running configuration to the startup configuration.

     

    Displaying the CoPP Configuration Status

    You can display the CoPP feature configuration status information.

    Before You Begin
    SUMMARY STEPS

      1.    show copp status


    DETAILED STEPS
        Command or Action Purpose
      Step 1 show copp status


      Example: 
      switch# show copp status
       

      Displays CoPP feature configuration status information.

       

      Monitoring CoPP

      You can monitor CoPP.

      Before You Begin

      Ensure that you are in the default VDC.

      SUMMARY STEPS

        1.    show policy-map interface control-plane


      DETAILED STEPS
          Command or Action Purpose
        Step 1 show policy-map interface control-plane


        Example: 
        switch# show policy-map interface control-plane
         

        Displays control plane statistics.

         

        Clearing the CoPP Statistics

        You can clear the CoPP statistics.

        Before You Begin

        Ensure that you are in the default VDC.

        SUMMARY STEPS

          1.    (Optional) show policy-map interface control-plane

          2.    clear copp statistics


        DETAILED STEPS
            Command or Action Purpose
          Step 1 show policy-map interface control-plane


          Example: 
          switch# show policy-map interface control-plane
                      		(Optional)

          Displays control plane statistics.

           
          Step 2 clear copp statistics


          Example: 
          switch# clear copp statistics
           

          Clears the CoPP statistics.

           

          Verifying the CoPP Configuration

          To display CoPP configuration information, perform one of the following tasks:

          Command

          Purpose

          show class-map type control-plane [class-map-name]

          Displays the control plane class map configuration, including the ACLs that are bound to this class map.

          show ip access-lists [acl-name]

          Displays the access lists, including the ACLs. If the statistics per-entry command is used, it also displays hit counts for specific entries.

          show policy-map interface control-plane

          Displays the policy values with associated class maps. It also displays drops per policy or class map.

          show policy-map type control-plane [expand] [name policy-map-name]

          Displays the control plane policy map with associated class maps and CIR and BC values.

          show running-config aclmgr [all]

          Displays the user-configured access control lists (ACLs) in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.

          show running-config copp [all]

          Displays the CoPP configuration in the running configuration.

          show startup-config aclmgr [all]

          Displays the user-configured access control lists (ACLs) in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.

          show startup-config copp [all]

          Displays the CoPP configuration in the startup configuration.

          Configuration Examples for CoPP

          This section includes example CoPP configurations.

          CoPP Configuration Example

          This example shows how to create a dynamic class IP ACL, create a CoPP class and associate the ACL, and add the class in the CoPP policy.

          Create an IP ACL: 
          ip access-list  copp-sample-acl
Permit udp any any eq 3333
Permit udp any any eq 4444
          Create CoPP class and associate ACL: 
          Class-map type control-plane copp-sample-class
match access-group name copp-sample-acl
          Add class in to the CoPP policy: 
          Policy-map type control-plane copp-system-policy
Class copp-sample-class
 Police pps 100
          This example shows how to modify the PPS for an existing class (copp-s-bpdu): 
          policy-map type control-plane copp-system-policy
 Class copp-s-bpdu
 Police pps <new_pps_value>
          This example shows how to create a dynamic class ARP ACL. ARP ACLs use ARP TCAM. The default size of this TCAM is 0. Before ARP ACLs can be used with CoPP, this TCAM needs to be carved for a non-zero size. 
          hardware profile tcam region arpacl 128 
copy running-config startup-config
reload
          Create an ARP ACL: 
          arp access-list copp-arp-acl
permit ip 20.1.1.1 255.255.255.0 mac any

          This example shows how to delete dynamic classes.

          Remove the class from policy: 
          Policy-map type control-plane copp-system-policy
   no class-abc
          Remove the class from the system: 
          no class-map type control-plane copp-abc
          This examples shows how to use the insert-before option if a packet could match multiple classes and the priority needs to be assigned to one of them.: 
          policy-map type control-plan copp-system-policy
class copp-ping insert-before copp-icmp

          Changing or Reapplying the Default CoPP Policy Using the Setup Utility

          The following example shows how to change or reapply the default CoPP policy using the setup utility.


          Note

          Beginning with Cisco NX-OS Release 5.2, you can change or reapply the default CoPP policy using the copp profile command.

          		 
          switch# setup

         ---- Basic System Configuration Dialog VDC: 1 ----

This setup utility will guide you through the basic configuration of
the system. Setup configures only enough connectivity for management
of the system.


*Note: setup is mainly used for configuring the system initially,
when no configuration is present. So setup always assumes system
defaults and not the current system configuration values.


Press Enter at anytime to skip a dialog. Use ctrl-c at anytime
to skip the remaining dialogs.

Would you like to enter the basic configuration dialog (yes/no): yes

Do you want to enforce secure password standard (yes/no)[y]: <CR>

  Create another login account (yes/no) [n]: n

  Configure read-only SNMP community string (yes/no) [n]: n

  Configure read-write SNMP community string (yes/no) [n]: n

  Enter the switch name : <CR>

  Enable license grace period? (yes/no) [n]: n

  Continue with Out-of-band (mgmt0) management configuration? (yes/no) [y]: n

  Configure the default gateway? (yes/no) [y]: n

  Configure advanced IP options? (yes/no) [n]: <CR>

  Enable the telnet service? (yes/no) [n]: y

  Enable the ssh service? (yes/no) [y]: <CR>

    Type of ssh key you would like to generate (dsa/rsa) : <CR>

  Configure the ntp server? (yes/no) [n]: n

  Configure default interface layer (L3/L2) [L3]: <CR>

  Configure default switchport interface state (shut/noshut) [shut]: <CR>

  Configure best practices CoPP profile (strict/moderate/lenient/noneskip) [strict]: strict

  Configure CMP processor on current sup (slot 6)? (yes/no) [y]: n

  Configure CMP processor on redundant sup (slot 5)? (yes/no) [y]: n

The following configuration will be applied:
  password strength-check
  no license grace-period
  no telnet server enable
  no system default switchport
  system default switchport shutdown
  policy-map type control-plane copp-system-p-policy

Would you like to edit the configuration? (yes/no) [n]: <CR>

Use this configuration and save it? (yes/no) [y]: y

switch#

          Additional References for CoPP

          This section provides additional information related to implementing CoPP.

          Related Documents

          Related Topic

          Document Title

          Licensing

          Cisco NX-OS Licensing Guide

          Command reference

          Cisco Nexus 3000 Series Command Reference

          Feature History for CoPP

          Table 1 Feature History for CoPP

          Feature Name

          Feature Information

          CoPP

          Introduced in 5.0(3)U2(2)

          CoPP

          Updated default policies with addition of PTP and BFD static class-maps in 5.0(3)U2(2)

          Was this Document Helpful?

          FeedbackFeedback

          Contact Cisco

          This Document Applies to These Products