Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, which ensures network stability, reachability, and packet delivery.
This feature allows a policy map to be applied to the control plane. This policy map looks like a normal QoS policy and is applied to all traffic entering the switch from a non-management port. A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device interfaces.
The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module or CPU itself.
The supervisor module divides the traffic that it manages into three functional components or planes:
- Data plane
- Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.
- Control plane
- Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.
- Management plane
- Runs the components meant for Cisco NX-OS device management purposes such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP).
The supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption or attacks to the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. For example, a DoS attack on the supervisor module could generate IP traffic streams to the control plane at a very high rate, forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic.
Examples of DoS attacks include:
Internet Control Message Protocol (ICMP) echo requests
TCP SYN flooding
These attacks can impact the device performance and have the following negative effects:
Reduced service quality (such as poor voice, video, or critical applications traffic)
High route processor or switch processor CPU utilization
Route flaps due to loss of routing protocol updates or keepalives
Unstable Layer 2 topology
Slow or unresponsive interactive sessions with the CLI
Processor resource exhaustion, such as the memory and buffers
Indiscriminate drops of incoming packets
It is important to ensure that you protect the supervisor module from accidental or malicious attacks by configuring control plane protection.