About CoPP
Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, which ensures network stability, reachability, and packet delivery.
This feature allows a policy map to be applied to the control plane. This policy map looks like a normal QoS policy and is applied to all traffic entering the switch from a non-management port. A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device interfaces.
The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module or CPU itself.
The supervisor module divides the traffic that it manages into three functional components or planes:
- Data plane
- Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.
- Control plane
- Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.
- Management plane
- Runs the components meant for Cisco NX-OS device management purposes such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP).
The supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption or attacks to the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. For example, a DoS attack on the supervisor module could generate IP traffic streams to the control plane at a very high rate, forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic.
Examples of DoS attacks include:
-
Internet Control Message Protocol (ICMP) echo requests
-
IP fragments
-
TCP SYN flooding
These attacks can impact the device performance and have the following negative effects:
-
Reduced service quality (such as poor voice, video, or critical applications traffic)
-
High route processor or switch processor CPU utilization
-
Route flaps due to loss of routing protocol updates or keepalives
-
Unstable Layer 2 topology
-
Slow or unresponsive interactive sessions with the CLI
-
Processor resource exhaustion, such as the memory and buffers
-
Indiscriminate drops of incoming packets
Caution |
It is important to ensure that you protect the supervisor module from accidental or malicious attacks by configuring control plane protection. |
Control Plane Protection
To protect the control plane, the Cisco NX-OS device segregates different packets destined for the control plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets, which ensures that the supervisor module is not overwhelmed.
Control Plane Packet Types
Different types of packets can reach the control plane:
- Receive packets
- Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router.
- Exception packets
- Packets that
need special handling by the supervisor module. For example, if a destination
address is not present in the Forwarding Information Base (FIB) and results in
a miss, the supervisor module sends an ICMP unreachable packet back to the
sender. Another example is a packet with IP options set.
The following exceptions are possible from line cards only: - match exception ip option
- match exception ipv6 option
- match exception ttl-failure
The following exceptions are possible from fabric modules only: - match exception ipv6 icmp unreachable
- match exception ip icmp unreachable
The following exceptions are possible from line cards and fabric modules: - match exception mtu-failure
- Redirected packets
- Packets that are redirected to the supervisor module.
- Glean packets
- If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.
All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets.
Classification for CoPP
For effective protection, the Cisco NX-OS device classifies the packets that reach the supervisor modules to allow you to apply different rate controlling policies based on the type of the packet. For example, you might want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent to the supervisor module because the IP option is set. You configure packet classifications and rate controlling policies using class maps and policy maps.
Rate Controlling Mechanisms
Once the packets are classified, the Cisco NX-OS device has different mechanisms to control the rate at which packets arrive at the supervisor module. Two mechanisms control the rate of traffic to the supervisor module. One is called policing and the other is called rate limiting.
Using hardware policers, you can define separate actions for traffic that conforms to or violates certain conditions. The actions can transmit the packet, mark down the packet, or drop the packet.
You can configure the following parameters for policing:
- Committed information rate (CIR)
- Desired bandwidth, specified as a bit rate or a percentage of the link rate.
- Committed burst (BC)
- Size of a traffic burst that can exceed the CIR within a given unit of time and not impact scheduling
In addition, you can set separate actions such as transmit or drop for conform and violate traffic.
For more information on policing parameters, see the Cisco Nexus 9000 Series NX-OS Quality of Service Configuration Guide.
Default Policing Policies
When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default copp-system-p-policy-strict policy to protect the supervisor module from DoS attacks. You can set the level of protection by choosing one of the following CoPP policy options from the initial setup utility:
-
Strict—This policy is 1 rate and 2 color.
-
Moderate—This policy is 1 rate and 2 color. The important class burst size is greater than the strict policy but less than the lenient policy.
-
Lenient—This policy is 1 rate and 2 color. The important class burst size is greater than the moderate policy but less than the dense policy.
-
Dense—This policy is 1 rate and 2 color. The policer CIR values are less than the strict policy.
-
Skip—No control plane policy is applied. (Cisco does not recommend using the Skip option because it will impact the control plane of the network.)
If you do not select an option or choose not to execute the setup utility, the software applies strict policing. We recommend that you start with the strict policy and later modify the CoPP policies as required.
Note |
Strict policing is not applied by default when using POAP, so you must configure a CoPP policy. |
The copp-system-p-policy policy has optimized values suitable for basic device operations. You must add specific class and access-control list (ACL) rules that meet your DoS protection requirements. The default CoPP policy does not change when you upgrade the software.
Caution |
Selecting the skip option and not subsequently configuring CoPP protection can leave your Cisco NX-OS device vulnerable to DoS attacks. |
You can reassign the CoPP default policy by entering the setup utility again using the setup command from the CLI prompt or by using the copp profile command.
Default Class Maps - For Cisco NX-OS Release 6.1(2)I2(1)
The copp-system-class-critical class has the following configuration:
class-map type control-plane match-any copp-system-p-class-critical
match access-group name copp-system-p-acl-bgp
match access-group name copp-system-p-acl-rip
match access-group name copp-system-p-acl-vpc
match access-group name copp-system-p-acl-bgp6
match access-group name copp-system-p-acl-ospf
match access-group name copp-system-p-acl-rip6
match access-group name copp-system-p-acl-eigrp
match access-group name copp-system-p-acl-ospf6
match access-group name copp-system-p-acl-eigrp6
match access-group name copp-system-p-acl-auto-rp
match access-group name copp-system-p-acl-mac-l2pt
match access-group name copp-system-p-acl-mac-l3-isis
The copp-system-class-exception class has the following configuration:
class-map type control-plane match-any copp-system-p-class-exception
match exception ip option
match exception ip icmp unreachable
match exception ipv6 option
match exception ipv6 icmp unreachable
The copp-system-class-exception-diag class has the following configuration:
class-map type control-plane match-any copp-system-p-class-exception-diag
match exception ttl-failure
match exception mtu-failure
The copp-system-class-important class has the following configuration:
class-map type control-plane match-any copp-system-p-class-important
match access-group name copp-system-p-acl-glbp
match access-group name copp-system-p-acl-hsrp
match access-group name copp-system-p-acl-vrrp
match access-group name copp-system-p-acl-wccp
match access-group name copp-system-p-acl-hsrp6
match access-group name copp-system-p-acl-mac-lldp
match access-group name copp-system-p-acl-icmp6-msgs
match access-group name copp-system-p-acl-mac-flow-control
The copp-system-class-l2-default class has the following configuration:
class-map type control-plane match-any copp-system-p-class-l2-default
match access-group name copp-system-p-acl-mac-undesirable
The copp-system-class-l2-unpoliced class has the following configuration:
class-map type control-plane match-any copp-system-p-class-l2-unpoliced
match access-group name copp-system-p-acl-mac-stp
match access-group name copp-system-p-acl-mac-lacp
match access-group name copp-system-p-acl-mac-cfsoe
match access-group name copp-system-p-acl-mac-sdp-srp
match access-group name copp-system-p-acl-mac-l2-tunnel
match access-group name copp-system-p-acl-mac-cdp-udld-vtp
The copp-system-class-l3mc-data class has the following configuration:
class-map type control-plane match-any copp-system-p-class-l3mc-data
match exception multicast rpf-failure
match exception multicast dest-miss
The copp-system-class-l3uc-data class has the following configuration:
class-map type control-plane match-any copp-system-p-class-l3uc-data
match exception glean
The copp-system-class-management class has the following configuration:
class-map type control-plane match-any copp-system-p-class-management
match access-group name copp-system-p-acl-ftp
match access-group name copp-system-p-acl-ntp
match access-group name copp-system-p-acl-ssh
match access-group name copp-system-p-acl-ntp6
match access-group name copp-system-p-acl-sftp
match access-group name copp-system-p-acl-snmp
match access-group name copp-system-p-acl-ssh6
match access-group name copp-system-p-acl-tftp
match access-group name copp-system-p-acl-tftp6
match access-group name copp-system-p-acl-radius
match access-group name copp-system-p-acl-tacacs
match access-group name copp-system-p-acl-telnet
match access-group name copp-system-p-acl-radius6
match access-group name copp-system-p-acl-tacacs6
match access-group name copp-system-p-acl-telnet6
The copp-system-class-monitoring class has the following configuration:
class-map type control-plane match-any copp-system-p-class-monitoring
match access-group name copp-system-p-acl-icmp
match access-group name copp-system-p-acl-icmp6
match access-group name copp-system-p-acl-traceroute
The copp-system-class-multicast-router class has the following configuration:
class-map type control-plane match-any copp-system-p-class-multicast-router
match access-group name copp-system-p-acl-pim
match access-group name copp-system-p-acl-msdp
match access-group name copp-system-p-acl-pim6
match access-group name copp-system-p-acl-pim-reg
match access-group name copp-system-p-acl-pim6-reg
match access-group name copp-system-p-acl-pim-mdt-join
The copp-system-class-normal class has the following configuration:
class-map type control-plane match-any copp-system-p-class-normal
match access-group name copp-system-p-acl-mac-dot1x
match protocol arp
The copp-system-class-normal-dhcp class has the following configuration:
class-map type control-plane match-any copp-system-p-class-normal-dhcp
match access-group name copp-system-p-acl-dhcp
The copp-system-class-normal-dhcp-relay-response class has the following configuration:
class-map type control-plane match-any copp-system-p-class-normal-dhcp-relay-response
match access-group name copp-system-p-acl-dhcp-relay-response
The copp-system-class-normal-igmp class has the following configuration:
class-map type control-plane match-any copp-system-p-class-normal-igmp
match access-group name copp-system-p-acl-igmp
The copp-system-class-redirect class has the following configuration:
class-map type control-plane match-any copp-system-p-class-redirect
The copp-system-class-undesirable class has the following configuration:
class-map type control-plane match-any copp-system-p-class-undesirable
match access-group name copp-system-p-acl-undesirable
match exception multicast sg-rpf-failure
Default Class Maps - For Cisco NX-OS Release 6.1(2)I1(1)
The copp-system-class-critical class has the following configuration:
class-map type control-plane match-any copp-system-p-class-critical
match access-group name copp-system-p-acl-bgp
match access-group name copp-system-p-acl-pim
match access-group name copp-system-p-acl-rip
match access-group name copp-system-p-acl-vpc
match access-group name copp-system-p-acl-bgp6
match access-group name copp-system-p-acl-msdp
match access-group name copp-system-p-acl-ospf
match access-group name copp-system-p-acl-rip6
match access-group name copp-system-p-acl-eigrp
match access-group name copp-system-p-acl-ospf6
match access-group name copp-system-p-acl-eigrp6
match access-group name copp-system-p-acl-auto-rp
match access-group name copp-system-p-acl-mac-l2pt
match access-group name copp-system-p-acl-mac-l3-isis
The copp-system-class-exception class has the following configuration:
class-map type control-plane match-any copp-system-p-class-exception
match exception ip option
match exception ip icmp unreachable
match exception ttl-failure
match exception ipv6 option
match exception mtu-failure
The copp-system-class-important class has the following configuration:
class-map type control-plane match-any copp-system-p-class-important
match access-group name copp-system-p-acl-hsrp
match access-group name copp-system-p-acl-vrrp
match access-group name copp-system-p-acl-hsrp6
match access-group name copp-system-p-acl-pim-reg
match access-group name copp-system-p-acl-mac-lldp
match access-group name copp-system-p-acl-pim-mdt-join
match access-group name copp-system-p-acl-mac-flow-control
The copp-system-class-l2-default class has the following configuration:
class-map type control-plane match-any copp-system-p-class-l2-default
match access-group name copp-system-p-acl-mac-undesirable
The copp-system-class-l2-unpoliced class has the following configuration:
class-map type control-plane match-any copp-system-p-class-l2-unpoliced
match access-group name copp-system-p-acl-mac-stp
match access-group name copp-system-p-acl-mac-lacp
match access-group name copp-system-p-acl-mac-sdp-srp
match access-group name copp-system-p-acl-mac-l2-tunnel
match access-group name copp-system-p-acl-mac-cdp-udld-vtp
The copp-system-class-l3mc-data class has the following configuration:
class-map type control-plane match-any copp-system-p-class-l3mc-data
match exception multicast rpf-failure
match exception multicast dest-miss
The copp-system-class-l3uc-data class has the following configuration:
class-map type control-plane match-any copp-system-p-class-l3uc-data
match exception glean
The copp-system-class-management class has the following configuration:
class-map type control-plane match-any copp-system-p-class-management
match access-group name copp-system-p-acl-ftp
match access-group name copp-system-p-acl-ntp
match access-group name copp-system-p-acl-ssh
match access-group name copp-system-p-acl-ntp6
match access-group name copp-system-p-acl-sftp
match access-group name copp-system-p-acl-snmp
match access-group name copp-system-p-acl-ssh6
match access-group name copp-system-p-acl-tftp
match access-group name copp-system-p-acl-tftp6
match access-group name copp-system-p-acl-radius
match access-group name copp-system-p-acl-tacacs
match access-group name copp-system-p-acl-telnet
match access-group name copp-system-p-acl-radius6
match access-group name copp-system-p-acl-tacacs6
match access-group name copp-system-p-acl-telnet6
The copp-system-class-monitoring class has the following configuration:
class-map type control-plane match-any copp-system-p-class-monitoring
match access-group name copp-system-p-acl-icmp
match access-group name copp-system-p-acl-traceroute
The copp-system-class-normal class has the following configuration:
class-map type control-plane match-any copp-system-p-class-normal
match protocol arp
The copp-system-class-normal-dhcp class has the following configuration:
class-map type control-plane match-any copp-system-p-class-normal-dhcp
match access-group name copp-system-p-acl-dhcp
The copp-system-class-normal-dhcp-relay-response class has the following configuration:
class-map type control-plane match-any copp-system-p-class-normal-dhcp-relay-response
match access-group name copp-system-p-acl-dhcp-relay-response
The copp-system-class-normal-igmp class has the following configuration:
class-map type control-plane match-any copp-system-p-class-normal-igmp
match access-group name copp-system-p-acl-igmp
The copp-system-class-redirect class has the following configuration:
class-map type control-plane match-any copp-system-p-class-redirect
The copp-system-class-undesirable class has the following configuration:
class-map type control-plane match-any copp-system-p-class-undesirable
match access-group name copp-system-p-acl-undesirable
multicast sg-rpf-failure
Strict Default CoPP Policy - For Cisco NX-OS Release 6.1(2)I2(1)
policy-map type control-plane copp-system-p-policy-strict
class copp-system-p-class-critical
set cos 7
police cir 19000 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-important
set cos 6
police cir 3000 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-multicast-router
set cos 6
police cir 3000 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-management
set cos 2
police cir 3000 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3mc-data
set cos 3
police cir 3000 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3uc-data
set cos 3
police cir 250 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal
set cos 1
police cir 300 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp
set cos 1
police cir 300 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 400 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-normal-igmp
set cos 1
police cir 6000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-redirect
set cos 1
police cir 150 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-exception-diag
set cos 1
police cir 50 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-monitoring
set cos 1
police cir 75 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 8192 packets conform transmit violate drop
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l2-default
set cos 0
police cir 50 pps bc 32 packets conform transmit violate drop
class class-default
set cos 0
police cir 50 pps bc 32 packets conform transmit violate drop
Strict Default CoPP Policy - For Cisco NX-OS Release 6.1(2)I1(1)
The strict CoPP policy has the following configuration:
policy-map type control-plane copp-system-p-policy-strict
class copp-system-p-class-critical
set cos 7
police cir 19000 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-important
set cos 6
police cir 500 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-management
set cos 2
police cir 3000 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3mc-data
set cos 2
police cir 3000 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3uc-data
set cos 2
police cir 250 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal
set cos 1
police cir 300 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp
set cos 1
police cir 300 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 400 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-normal-igmp
set cos 1
police cir 6000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-redirect
set cos 1
police cir 150 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-monitoring
set cos 1
police cir 75 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 4096 packets conform transmit violate drop
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l2-default
set cos 0
police cir 50 pps bc 32 packets conform transmit violate drop
class class-default
set cos 0
police cir 50 pps bc 32 packets conform transmit violate drop
Moderate Default CoPP Policy - For Cisco NX-OS Release 6.1(2)I2(1)
The moderate CoPP policy has the following configuration:
policy-map type control-plane copp-system-p-policy-moderate
class copp-system-p-class-critical
set cos 7
police cir 19000 pps bc 192 packets conform transmit violate drop
class copp-system-p-class-important
set cos 6
police cir 3000 pps bc 192 packets conform transmit violate drop
class copp-system-p-class-multicast-router
set cos 6
police cir 3000 pps bc 192 packets conform transmit violate drop
class copp-system-p-class-management
set cos 2
police cir 3000 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-l3mc-data
set cos 3
police cir 3000 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3uc-data
set cos 3
police cir 250 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal
set cos 1
police cir 300 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp
set cos 1
police cir 300 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 400 pps bc 96 packets conform transmit violate drop
class copp-system-p-class-normal-igmp
set cos 1
police cir 6000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-redirect
set cos 1
police cir 150 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-exception-diag
set cos 1
police cir 50 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-monitoring
set cos 1
police cir 75 pps bc 192 packets conform transmit violate drop
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 8192 packets conform transmit violate drop
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-l2-default
set cos 0
police cir 50 pps bc 48 packets conform transmit violate drop
class class-default
set cos 0
police cir 50 pps bc 48 packets conform transmit violate drop
Moderate Default CoPP Policy - For Cisco NX-OS Release 6.1(2)I1(1)
The moderate CoPP policy has the following configuration:
policy-map type control-plane copp-system-p-policy-moderate
class copp-system-p-class-critical
set cos 7
police cir 19000 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-important
set cos 6
police cir 500 pps bc 192 packets conform transmit violate drop
class copp-system-p-class-management
set cos 2
police cir 3000 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-l3mc-data
set cos 2
police cir 3000 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3uc-data
set cos 2
police cir 250 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal
set cos 1
police cir 300 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp
set cos 1
police cir 300 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 400 pps bc 96 packets conform transmit violate drop
class copp-system-p-class-normal-igmp
set cos 1
police cir 6000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-redirect
set cos 1
police cir 150 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-monitoring
set cos 1
police cir 75 pps bc 192 packets conform transmit violate drop
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 4096 packets conform transmit violate drop
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 48 packets conform transmit violate drop
class copp-system-p-class-l2-default
set cos 0
police cir 50 pps bc 48 packets conform transmit violate drop
class class-default
set cos 0
police cir 50 pps bc 48 packets conform transmit violate drop
Lenient Default CoPP Policy - For Cisco NX-OS Release 6.1(2)I2(1)
The lenient CoPP policy has the following configuration:
policy-map type control-plane copp-system-p-policy-lenient
class copp-system-p-class-critical
set cos 7
police cir 19000 pps bc 256 packets conform transmit violate drop
class copp-system-p-class-important
set cos 6
police cir 3000 pps bc 256 packets conform transmit violate drop
class copp-system-p-class-multicast-router
set cos 6
police cir 3000 pps bc 256 packets conform transmit violate drop
class copp-system-p-class-management
set cos 2
police cir 3000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-l3mc-data
set cos 3
police cir 3000 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3uc-data
set cos 3
police cir 250 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal
set cos 1
police cir 300 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp
set cos 1
police cir 300 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 400 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-normal-igmp
set cos 1
police cir 6000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-redirect
set cos 1
police cir 150 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-exception-diag
set cos 1
police cir 50 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-monitoring
set cos 1
police cir 75 pps bc 256 packets conform transmit violate drop
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 8192 packets conform transmit violate drop
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-l2-default
set cos 0
police cir 50 pps bc 64 packets conform transmit violate drop
class class-default
set cos 0
police cir 50 pps bc 64 packets conform transmit violate drop
Lenient Default CoPP Policy - For Cisco NX-OS Release 6.1(2)I1(1)
The lenient CoPP policy has the following configuration:
policy-map type control-plane copp-system-p-policy-lenient
class copp-system-p-class-critical
set cos 7
police cir 19000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-important
set cos 6
police cir 500 pps bc 256 packets conform transmit violate drop
class copp-system-p-class-management
set cos 2
police cir 3000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-l3mc-data
set cos 2
police cir 3000 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3uc-data
set cos 2
police cir 250 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal
set cos 1
police cir 300 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp
set cos 1
police cir 300 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 400 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-normal-igmp
set cos 1
police cir 6000 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-redirect
set cos 1
police cir 150 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-monitoring
set cos 1
police cir 75 pps bc 256 packets conform transmit violate drop
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 4096 packets conform transmit violate drop
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 64 packets conform transmit violate drop
class copp-system-p-class-l2-default
set cos 0
police cir 50 pps bc 64 packets conform transmit violate drop
class class-default
set cos 0
police cir 50 pps bc 64 packets conform transmit violate drop
Dense Default CoPP Policy - For Cisco NX-OS Release 6.1(2)I2(1)
policy-map type control-plane copp-system-p-policy-dense
class copp-system-p-class-critical
set cos 7
police cir 2500 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-important
set cos 6
police cir 1200 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-multicast-router
set cos 6
police cir 1200 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-management
set cos 2
police cir 1200 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-l3mc-data
set cos 3
police cir 1200 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3uc-data
set cos 3
police cir 250 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal
set cos 1
police cir 150 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp
set cos 1
police cir 150 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 200 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-normal-igmp
set cos 1
police cir 2500 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-redirect
set cos 1
police cir 100 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-exception-diag
set cos 1
police cir 50 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-monitoring
set cos 1
police cir 50 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 8192 packets conform transmit violate drop
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l2-default
set cos 0
police cir 25 pps bc 32 packets conform transmit violate drop
class class-default
set cos 0
police cir 25 pps bc 32 packets conform transmit violate drop
Dense Default CoPP Policy - For Cisco NX-OS Release 6.1(2)I1(1)
The dense CoPP policy has the following configuration:
policy-map type control-plane copp-system-p-policy-dense
class copp-system-p-class-critical
set cos 7
police cir 2500 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-important
set cos 6
police cir 300 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-management
set cos 2
police cir 1200 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-l3mc-data
set cos 2
police cir 1200 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l3uc-data
set cos 2
police cir 250 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal
set cos 1
police cir 150 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp
set cos 1
police cir 150 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 200 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-normal-igmp
set cos 1
police cir 2500 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-redirect
set cos 1
police cir 100 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-monitoring
set cos 1
police cir 50 pps bc 128 packets conform transmit violate drop
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 4096 packets conform transmit violate drop
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 32 packets conform transmit violate drop
class copp-system-p-class-l2-default
set cos 0
police cir 25 pps bc 32 packets conform transmit violate drop
class class-default
set cos 0
police cir 25 pps bc 32 packets conform transmit violate drop
Packets Per Second Credit Limit
The aggregate packets per second (PPS) for a given policy (sum of PPS of each class part of the policy) is capped by an upper PPS Credit Limit (PCL). If an increase in PPS of a given class causes a PCL exceed, the configuration is rejected. To increase the desired PPS, the additional PPS beyond PCL should be decreased from other class(es).
Modular QoS Command-Line Interface
CoPP uses the Modular Quality of Service Command-Line Interface (MQC). MQC is a CLI structure that allows you to define a traffic class, create a traffic policy (policy map), and attach the traffic policy to an interface. The traffic policy contains the CoPP feature that will be applied to the traffic class.
SUMMARY STEPS
- Define a traffic class using the class-map command. A traffic class is used to classify traffic.
- Create a traffic policy using the policy-map command. A traffic policy (policy map) contains a traffic class and one or more CoPP features that will be applied to the traffic class. The CoPP features in the traffic policy determine how to treat the classified traffic.
- Attach the traffic policy (policy map) to the control plane using the control-plane and service-policy commands.
DETAILED STEPS
Step 1 |
Define a traffic class using the class-map command. A traffic class is used to classify traffic.
|
||
Step 2 |
Create a traffic policy using the policy-map command. A traffic policy (policy map) contains a traffic class and one or more CoPP features that will be applied to the traffic class. The CoPP features in the traffic policy determine how to treat the classified traffic. |
||
Step 3 |
Attach the traffic policy (policy map) to the control plane using the control-plane and service-policy commands.
|
CoPP and the Management Interface
The Cisco NX-OS device supports only hardware-based CoPP, which does not support the management interface (mgmt0). The out-of-band mgmt0 interface connects directly to the CPU and does not pass through the in-band traffic hardware where CoPP is implemented.
On the mgmt0 interface, ACLs can be configured to give or deny access to a particular type of traffic.