- Preface
- New and Changed Information
- Overview
- Configuring Authentication, Authorization, and Accounting
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH and Telnet
- Configuring Access Control Lists
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Unicast RPF
- Configuring Control Plane Policing
- Index
- Information About CoPP
- Licensing Requirements for CoPP
- Guidelines and Limitations for CoPP
- Configuring CoPP
- CoPP Show Commands
- Displaying the CoPP Configuration Status
- Monitoring CoPP
- Clearing the CoPP Statistics
- CoPP Configuration Examples
- Sample CoPP Configuration
- Example: Changing or Reapplying the Default CoPP Policy Using the Setup Utility
- Additional References for CoPP
- Feature History for CoPP
Configuring Control Plane Policing
This chapter describes how to configure Control Plane Policing (CoPP) on a Cisco NX-OS device.
This chapter includes the following sections:
- Information About CoPP
- Licensing Requirements for CoPP
- Guidelines and Limitations for CoPP
- Configuring CoPP
- CoPP Show Commands
- Displaying the CoPP Configuration Status
- Monitoring CoPP
- Clearing the CoPP Statistics
- CoPP Configuration Examples
- Sample CoPP Configuration
- Example: Changing or Reapplying the Default CoPP Policy Using the Setup Utility
- Additional References for CoPP
- Feature History for CoPP
Information About CoPP
Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, thereby ensuring network stability, reachability, and packet delivery.
This feature allows a policy map to be applied to the control plane. This policy map looks like a normal QoS policy and is applied to all traffic destined to any of the IP addresses of the router or Layer 3 switch. A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device interfaces.
The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module or CPU itself.
The supervisor module divides the traffic that it manages into three functional components or planes:
- Data plane
- Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.
- Control plane
- Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.
- Management plane
- Runs the components meant for Cisco NX-OS device management purposes such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP).
The supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption or attacks to the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. Attacks on the supervisor module can be of various types such as DoS that generates IP traffic streams to the control plane at a very high rate. These attacks force the control plane to spend a large amount of time in handling these packets and prevents the control plane from processing genuine traffic.
Examples of DoS attacks are as follows:
These attacks can impact the device performance and have the following negative effects:
- Reduced service quality (such as poor voice, video, or critical applications traffic)
- High route processor or switch processor CPU utilization
- Route flaps due to loss of routing protocol updates or keepalives
- Unstable Layer 2 topology
- Slow or unresponsive interactive sessions with the CLI
- Processor resource exhaustion, such as the memory and buffers
- Indiscriminate drops of incoming packets
 Caution |
It is important to ensure that you protect the supervisor module from accidental or malicious attacks by setting appropriate control plane protection. |
- Control Plane Protection
- Control Plane Packet Types
- Classification
- Rate Controlling Mechanisms
- CoPP Policy Templates
- Default CoPP Policy
- Layer 2 CoPP Policy
- Layer 3 CoPP Policy
- CoPP Class Maps
- CoPP Configuration Information
- Packets Per Second Credit Limit
- CoPP and the Management Interface
Control Plane Protection
To protect the control plane, the Cisco NX-OS device segregates different packets destined to the control plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets, which ensures that the supervisor module is not overwhelmed.
Control Plane Packet Types
Different types of packets can reach the control plane:
- Receive packets
- Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router.
- Exception packets
- Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, then the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set.
- Redirected packets
- Packets that are redirected to the supervisor module. Features like Dynamic Host Configuration Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.
- Glean packets
- If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.
All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets.
Classification
For effective protection, the Cisco NX-OS device classifies the packets that reach the supervisor modules to allow you to apply different rate controlling policies based on the type of the packet. For example, you might want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent to the supervisor module because the IP option is set. You configure packet classifications and rate controlling policies using class-maps and policy-maps.
The following parameters can be used to classify a packet:
Rate Controlling Mechanisms
Once the packets are classified, the Cisco NX-OS device has different mechanisms to control the rate at which packets arrive at the supervisor module.
The policing rate is specified in terms of packets per second (PPS). Each classified flow can be policed individually by specifying a policing rate limit in PPS.
CoPP Policy Templates
When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default copp-system-policy to protect the supervisor module from DoS attacks. You can choose the CoPP policy template for your deployment scenario by specifying CoPP policy options from the initial setup utility:
- Default—Layer 2 and Layer 3 policy which provides a good balance of policing between switched and routed traffic bound to CPU.
- Layer 2—Layer 2 policy which gives more preference to the Layer 2 traffic (eg BPDU) bound to the CPU
- Layer 3—Layer 3 policy which gives more preference to the Layer 3 traffic (eg BGP, RIP, OSPF etc ) bound to the CPU
If you do not select an option or choose not to execute the setup utility, the Cisco NX-OS software applies the Default policing. Cisco recommends starting with the default policy and later modifying the CoPP policies as required.
The default copp-system-policy policy has optimized values suitable for basic device operations. You must add specific class and access-control list (ACL) rules that meet your DoS protection requirements.
You can switch across default, Layer 2 and Layer 3 templates by entering the setup utility again using the setup command.
If you are upgrading from an NX-OS release which does not support the CoPP feature, the setup utility must be explicitly run to enable CoPP on the device after the upgrade. Not configuring CoPP protection can leave your NX-OS device vulnerable to DoS attacks.
Default CoPP Policy
This policy is applied to the switch by default. It has the classes with policer rates that should suit most network installations. You cannot modify this policy or the class maps associated with it. In addition, you cannot modify the class map configurations in this policy.
This policy has the following configuration:
policy-map type control-plane copp-system-policy-default
class copp-s-default
police pps 400
class copp-s-l2switched
police pps 200
class copp-s-ping
police pps 100
class copp-telnet
police pps 500
class copp-ssh
police pps 500
class copp-snmp
police pps 500
class copp-ntp
police pps 100
class copp-s-l3destmiss
police pps 100
class copp-s-glean
police pps 500
class copp-s-selfIp
police pps 500
class copp-s-mtufail
police pps 100
class copp-s-ttll
police pps 100
class copp-s-ipmcmiss
police pps 400
class copp-s-l3slowpath
police pps 100
class copp-s-dhcpreq
police pps 300
class copp-s-dhcpresp
police pps 300
class copp-s-dai
police pps 300
class copp-s-igmp
police pps 400
class copp-s-routingproto2
police pps 1000
class copp-s-eigrp
police pps 200
class copp-s-pimreg
police pps 200
class copp-s-pimautorp
police pps 200
class copp-s-routingproto1
police pps 1000
class copp-s-arp
police pps 200
class copp-s-icmp
police pps 200
class copp-s-bpdu
police pps 12000
class copp-s-tacacsradius
police pps 400
class copp-s-stftp
police pps 400
Layer 2 CoPP Policy
This policy has the following configuration:
policy-map type control-plane copp-system-policy
class copp-s-default
police pps 400
class copp-s-l2switched
police pps 200
class copp-s-ping
police pps 100
class copp-telnet
police pps 500
class copp-ssh
police pps 500
class copp-snmp
police pps 500
class copp-ntp
police pps 100
class copp-s-l3destmiss
police pps 100
class copp-s-glean
police pps 500
class copp-s-selfIp
police pps 500
class copp-s-l3mtufail
police pps 100
class copp-s-ttl1
police pps 100
class copp-s-ipmcmiss
police pps 400
class copp-s-l3slowpath
police pps 100
class copp-s-dhcpreq
police pps 300
class copp-s-decpresp
police pps 300
class copp-s-dai
police pps 300
class copp-s-igmp
police pps 400
class copp-s-routingproto2
police pps 900
class copp-s-eigrp
police pps 200
class copp-s-pimreg
police pps 200
class copp-s-pimautorp
police pps 200
class copp-s-routingproto1
police pps 900
class copp-s-arp
police pps 200
class copp-s-icmp
police pps 200
class copp-s-bpdu
police pps 12200
class copp-s-tacacsradius
police pps 400
class copp-s-stftp
police pps 400
Layer 3 CoPP Policy
This policy has the following configuration:
policy-map type control-plane copp-system-policy
class copp-s-default
police pps 400
class copp-s-l2switched
police pps 200
class copp-s-ping
police pps 100
class copp-telnet
police pps 500
class copp-ssh
police pps 500
class copp-snmp
police pps 500
class copp-ntp
police pps 100
class copp-s-l3destmiss
police pps 100
class copp-s-glean
police pps 500
class copp-s-selfIp
police pps 500
class copp-s-l3mtufail
police pps 100
class copp-s-ttl1
police pps 100
class copp-s-ipmcmiss
police pps 400
class copp-s-l3slowpath
police pps 100
class copp-s-dhcpreq
police pps 300
class copp-s-dhcpresp
police pps 300
class copp-s-dai
police pps 300
class copp-s-igmp
police pps 400
class copp-s-routingProto2
police pps 4000
class copp-s-eigrp
police pps 200
class copp-s-pimreg
police pps 200
class copp-s-pimautorp
police pps 200
class copp-s-routingProto1
police pps 4000
class copp-s-arp
police pps 200
class copp-icmp
police pps 200
class copp-s-bpdu
police pps 6000
class copp-tacacsradius
police pps 400
class copp-stftp
police pps 400
CoPP Class Maps
- Static—These classes are part of every policy template and cannot be removed from the policy or CoPP configuration. Static classes would typically contain the traffic which is deemed critical to device operation and is required in the policy.
- Dynamic—These classes can be created, added or removed from a policy. Using dynamic classes, you can create classes/policing for CPU bound traffic specific to their requirements.
 Note |
Classes with names copp-s-x are static classes. ACLs can be associated with both static and dynamic classes. |
CoPP Configuration Information
Only a single ACL ( with multiple ACEs within it ) can be associated with a given class. Multiple ACLs per class is not supported.
The creation of new policy-maps is not supported. An existing policy can be tuned for new classes as well as for policing rate of existing classes.
The maximum number of TCAM entries for CoPP ACLs is capped to 64.
ACLs can be associated with both static and dynamic classes.
Packets Per Second Credit Limit
The aggregate packets per second (PPS) for a given policy (sum of PPS of each class part of the policy) is capped by an upper PPS Credit Limit (PCL). If an increase in PPS of a given class causes a PCL exceed, the configuration is rejected. To increase the desired PPS, the additional PPS beyond PCL should be decreased from other class(es).
CoPP and the Management Interface
The Cisco NX-OS device supports only hardware-based CoPP which does not support the management interface (mgmt0). The out-of-band mgmt0 interface connects directly to the CPU and does not pass through the in-band traffic hardware where CoPP is implemented.
On the mgmt0 interface, ACLs can be configured to give or deny access to a particular type of traffic.
Licensing Requirements for CoPP
The following table shows the licensing requirements for this feature:
Guidelines and Limitations for CoPP
CoPP has the following configuration guidelines and limitations:
- Cisco recommends that you choose the default, L2, or L3 policy, depending upon your deployment scenario and later modify the CoPP policies based on observed behavior.
- Customizing CoPP is an ongoing process. CoPP must be configured according to the protocols and features used in your specific environment as well as the supervisor features that are required by the server environment. As these protocols and features change, CoPP must be modified.
- Cisco recommends that you continuously monitor CoPP. If drops occur, determine if CoPP dropped traffic unintentionally or in response to a malfunction or attack. In either event, analyze the situation and evaluate the need to use a different CoPP policy or modify the customized CoPP policy.
- The Cisco NX-OS software does not support egress CoPP or silent mode. CoPP is supported only on ingress (service-policy output copp cannot be applied to the control plane interface).
- The creation of new CoPP policies is not supported.
Configuring CoPP
Configuring a Control Plane Class Map
You must configure control plane class maps for control plane policies.
You can classify traffic by matching packets based on existing ACLs. The permit and deny ACL keywords are ignored in the matching.
You can configure policies for IPv4 or IPv6 packets.
Ensure that you have configured the IP ACLs if you want to use ACE hit counters in the class maps.
1. configure terminal
2. class-map type control-plane match-any class-map-name
3. (Optional) match access-group name access-list-name
4. exit
5. (Optional) show class-map type control-plane [class-map-name]
6. (Optional) copy running-config startup-config
DETAILED STEPS
Configuring a Control Plane Policy Map
You must configure a policy map for CoPP, which include policing parameters. If you do not configure a policer for a class, then the default PPS for that class is 0..
You can configure policies for IPv4 packets.
Ensure that you have configured a control plane class map.
1. configure terminal
2. policy-map type control-plane policy-map-name
3. class {class-map-name [insert-before class-map-name2] | class}
4. police [pps] {pps-value}
5. exit
6. exit
7. (Optional) show policy-map type control-plane [expand] [name class-map-name]
8. (Optional) copy running-config startup-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
| Step 2 | policy-map type control-plane policy-map-name Example: switch(config)# policy-map type control-plane ClassMapA switch(config-pmap)# |
Specifies a control plane policy map and enters policy map configuration mode. The policy map name can have a maximum of 64 characters and is case sensitive. |
| Step 3 | class {class-map-name [insert-before class-map-name2] | class} Example: switch(config-pmap)# class ClassMapA switch(config-pmap-c)# |
Specifies a control plane class map name or the class default and enters control plane class configuration mode. The class-default class map is always at the end of the class map list for a policy map. |
| Step 4 | police [pps] {pps-value} Example: switch(config-pmap-c)# police pps 100 |
Specifies the rate limit in terms of packets per second ( PPS ). The PPS range is 0 - 20,000. The default PPS is 0. |
| Step 5 | exit Example: switch(config-pmap-c)# exit switch(config-pmap)# |
Exits policy map class configuration mode. |
| Step 6 | exit Example: switch(config-pmap)# exit switch(config)# |
Exits policy map configuration mode. |
| Step 7 | show policy-map type control-plane [expand] [name class-map-name] Example: switch(config)# show policy-map type control-plane |
(Optional) Displays the control plane policy map configuration. |
| Step 8 | copy running-config startup-config Example: switch(config)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Configuring the Control Plane Service Policy
Configure a control plane policy map.
1. configure terminal
2. control-plane
3. [no] service-policy input policy-map-name
4. exit
5. (Optional) show running-config copp [all]
6. (Optional) copy running-config startup-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | configure terminal Example: switch# configure terminal switch(config) # |
Enters global configuration mode. |
| Step 2 | control-plane Example: switch(config) # control-plane switch(config-cp)# |
Enters control plane configuration mode. |
| Step 3 | [no] service-policy input policy-map-name Example: switch(config-cp)# service-policy input PolicyMapA |
Specifies a policy map for the input traffic. Repeat this step if you have more than one policy map. Use the no service-policy input policy-map-name command to remove the policy from the control plane. |
| Step 4 | exit Example: switch(config-cp)# exit switch(config)# |
Exits control plane configuration mode. |
| Step 5 | show running-config copp [all] Example: switch(config)# show running-config copp |
(Optional) Displays the CoPP configuration. |
| Step 6 | copy running-config startup-config Example: switch(config) # copy running-config-startup-config switch(config) # |
(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
CoPP Show Commands
To display CoPP configuration information, enter one of the following show commands:
| Command |
Purpose |
|---|---|
show ip access-lists [acl-name] |
Displays all IPv4 ACLs configured in the system, including the CoPP ACLs. |
show class-map type control-plane [class-map-name] |
Displays the control plane class map configuration, including the ACLs that are bound to this class map. |
show policy-map type control-plane [expand] [name policy-map-name] |
Displays the control plane policy map with associated class maps and PPS values. |
show running-config copp [all] |
Displays the CoPP configuration in the running configuration. |
show running-config aclmgr [all] |
Displays the user-configured access control lists (ACLs) in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration. |
show startup-config copp [all] |
Displays the CoPP configuration in the startup configuration. |
show startup-config aclmgr [all] |
Displays the user-configured access control lists (ACLs) in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration. |
Displaying the CoPP Configuration Status
1. show copp status
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | show copp status Example: switch# show copp status |
Displays the configuration status for the CoPP feature. |
Monitoring CoPP
1. show policy-map interface control-plane
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | show policy-map interface control-plane Example: switch# show policy-map interface control-plane |
Displays packet-level statistics for all classes that are part of the applied CoPP policy. Statistics are specified in terms of OutPackets (packets admitted to the control plane) and DropPackets (packets dropped because of rate limiting). |
Clearing the CoPP Statistics
1. (Optional) show policy-map interface control-plane
2. clear copp statistics
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | show policy-map interface control-plane Example: switch# show policy-map interface control-plane |
(Optional) Displays the currently applied CoPP policy and per-class statistics. |
| Step 2 | clear copp statistics Example: switch# clear copp statistics |
Clears the CoPP statistics. |
CoPP Configuration Examples
Creating an IP ACL Based on a New Dynamic Class
ip access-list copp-sample-acl permit udp any any eq 3333 permit udp any any eq 4444
Creating a CoPP Class and Associating an ACL
class-map type control-plane copp-sample-class match access-group name copp-sample-acl
Adding a Class to the CoPP Policy
policy-map type control-plane copp-system-policy Class copp-sample-class Police pps 100
Modifying the PPS for an Existing Class (copp-s-bpdu)
policy-map type control-plane copp-system-policy Class copp-s-bpdu Police pps <new_pps_value>
Creating an ARP ACL-Based Dynamic Class
ARP ACLs use ARP TCAM. The default size of this TCAM is 0. Before ARP ACLs can be used with CoPP, this TCAM needs to be carved for a non-zero size.
hardware profile tcam region arpacl 128 copy running-config startup-config reload
Creating an ARP ACL
arp access-list copp-arp-acl permit ip 20.1.1.1 255.255.255.0 mac any
Removing a Class from a Policy
policy-map type control-plane copp-system-policy no class-abc
Removing a Class from the System
no class-map type control-plane copp-abc
Using the insert-before option to see if a packet matches multiple classes and the priority needs to be assigned to one of them
policy-map type control-plan copp-system-policy class copp-ping insert-before copp-icmp
Sample CoPP Configuration
The following example shows a sample CoPP configuration with ACLs, classes, policies, and individual class policing:
IP access list copp-system-acl-eigrp
10 permit eigrp any 224.0.0.10/32
IP access list copp-system-acl-icmp
10 permit icmp any any
IP access list copp-system-acl-ntp
10 permit udp any any eq ntp
20 permit udp any eq ntp any
IP access list copp-system-acl-pimreg
10 permit pim any any
IP access list copp-system-acl-ping
10 permit icmp any any echo
20 permit icmp any any echo-reply
IP access list copp-system-acl-routingproto1
10 permit tcp any gt 1024 any eq bgp
20 permit tcp any eq bgp any gt 1024
30 permit udp any 224.0.0.0/24 eq rip
40 permit tcp any gt 1024 any eq 639
50 permit tcp any eq 639 any gt 1024
70 permit ospf any any
80 permit ospf any 224.0.0.5/32
90 permit ospf any 224.0.0.6/32
IP access list copp-system-acl-routingproto2
10 permit udp any 224.0.0.0/24 eq 1985
20 permit 112 any 224.0.0.0/24
IP access list copp-system-acl-snmp
10 permit udp any any eq snmp
20 permit udp any any eq snmptrap
IP access list copp-system-acl-ssh
10 permit tcp any any eq 22
20 permit tcp any eq 22 any
IP access list copp-system-acl-stftp
10 permit udp any any eq tftp
20 permit udp any any eq 1758
30 permit udp any eq tftp any
40 permit udp any eq 1758 any
50 permit tcp any any eq 115
60 permit tcp any eq 115 any
IP access list copp-system-acl-tacacsradius
10 permit tcp any any eq tacacs
20 permit tcp any eq tacacs any
30 permit udp any any eq 1812
40 permit udp any any eq 1813
50 permit udp any any eq 1645
60 permit udp any any eq 1646
70 permit udp any eq 1812 any
80 permit udp any eq 1813 any
90 permit udp any eq 1645 any
100 permit udp any eq 1646 any
IP access list copp-system-acl-telnet
10 permit tcp any any eq telnet
20 permit tcp any any eq 107
30 permit tcp any eq telnet any
40 permit tcp any eq 107 any
IP access list copp-system-dhcp-relay
10 permit udp any eq bootps any eq bootps
class-map type control-plane match-any copp-icmp
match access-group name copp-system-acl-icmp
class-map type control-plane match-any copp-ntp
match access-group name copp-system-acl-ntp
class-map type control-plane match-any copp-s-arp
class-map type control-plane match-any copp-s-bpdu
class-map type control-plane match-any copp-s-dai
class-map type control-plane match-any copp-s-default
class-map type control-plane match-any copp-s-dhcpreq
class-map type control-plane match-any copp-s-dhcpresp
match access-group name copp-system-dhcp-relay
class-map type control-plane match-any copp-s-eigrp
match access-group name copp-system-acl-eigrp
class-map type control-plane match-any copp-s-glean
class-map type control-plane match-any copp-s-igmp
class-map type control-plane match-any copp-s-ipmcmiss
class-map type control-plane match-any copp-s-l2switched
class-map type control-plane match-any copp-s-l3destmiss
class-map type control-plane match-any copp-s-l3mtufail
class-map type control-plane match-any copp-s-l3slowpath
class-map type control-plane match-any copp-s-pimautorp
class-map type control-plane match-any copp-s-pimreg
match access-group name copp-system-acl-pimreg
class-map type control-plane match-any copp-s-ping
match access-group name copp-system-acl-ping
class-map type control-plane match-any copp-s-routingProto1
match access-group name copp-system-acl-routingproto1
class-map type control-plane match-any copp-s-routingProto2
match access-group name copp-system-acl-routingproto2
class-map type control-plane match-any copp-s-selfIp
class-map type control-plane match-any copp-s-ttl1
class-map type control-plane match-any copp-snmp
match access-group name copp-system-acl-snmp
class-map type control-plane match-any copp-ssh
match access-group name copp-system-acl-ssh
class-map type control-plane match-any copp-stftp
match access-group name copp-system-acl-stftp
class-map type control-plane match-any copp-tacacsradius
match access-group name copp-system-acl-tacacsradius
class-map type control-plane match-any copp-telnet
match access-group name copp-system-acl-telnet
policy-map type control-plane copp-system-policy
class copp-s-default
police pps 400
class copp-s-l2switched
police pps 200
class copp-s-ping
police pps 100
class copp-telnet
police pps 500
class copp-ssh
police pps 500
class copp-snmp
police pps 500
class copp-ntp
police pps 100
class copp-s-l3destmiss
police pps 100
class copp-s-glean
police pps 500
class copp-s-selfIp
police pps 500
class copp-s-l3mtufail
police pps 100
class copp-s-ttl1
police pps 100
class copp-s-ipmcmiss
police pps 400
class copp-s-l3slowpath
police pps 100
class copp-s-dhcpreq
police pps 300
class copp-s-dhcpresp
police pps 300
class copp-s-dai
police pps 300
class copp-s-igmp
police pps 400
class copp-s-routingProto2
police pps 1000
class copp-s-eigrp
police pps 200
class copp-s-pimreg
police pps 200
class copp-s-pimautorp
police pps 200
class copp-s-routingProto1
police pps 1000
class copp-s-arp
police pps 200
class copp-icmp
police pps 200
class copp-s-bpdu
police pps 12000
class copp-tacacsradius
police pps 400
class copp-stftp
police pps 400
Example: Changing or Reapplying the Default CoPP Policy Using the Setup Utility
The following example shows how to change or reapply the default CoPP policy using the setup utility:
switch# setup
---- Basic System Configuration Dialog ----
This setup utility will guide you through the basic configuration of
the system. Setup configures only enough connectivity for management
of the system.
*Note: setup is mainly used for configuring the system initially,
when no configuration is present. So setup always assumes system
defaults and not the current system configuration values.
Press Enter at anytime to skip a dialog. Use ctrl-c at anytime
to skip the remaining dialogs.
Would you like to enter the basic configuration dialog (yes/no): yes
Create another login account (yes/no) [n]: n
Configure read-only SNMP community string (yes/no) [n]: n
Configure read-write SNMP community string (yes/no) [n]: n
Enter the switch name : switch
Continue with Out-of-band (mgmt0) management configuration? (yes/no) [y]: n
Configure the default gateway for mgmt? (yes/no) [y]: n
Enable the telnet service? (yes/no) [n]: y
Enable the ssh service? (yes/no) [y]: n
Configure the ntp server? (yes/no) [n]: n
Configure CoPP System Policy Profile ( default / l2 / l3 ) [default]: l2
The following configuration will be applied:
switchname switch
telnet server enable
no ssh server enable
policy-map type control-plane copp-system-policy ( l2 )
Would you like to edit the configuration? (yes/no) [n]: n
Use this configuration and save it? (yes/no) [y]: y
[########################################] 100%
Additional References for CoPP
This section provides additional information related to implementing CoPP.
Related Documents
| Related Topic |
Document Title |
|---|---|
| Licensing |
|
| Command reference |
Cisco Nexus 3000 Series Command Reference |
Feature History for CoPP
Feature Name |
Feature Information |
|---|---|
CoPP |
Introduced in 5.0(3)U2(2) |
Feedback