Restrictions for CoPP
Restrictions for control plane policing (CoPP) include the following:
-
Only ingress CoPP is supported. The system-cpp-policy policy-map is available on the control plane interface, and only in the ingress direction.
-
Only the system-cpp-policy policy-map can be installed on the control plane interface.
-
The system-cpp-policy policy-map and the system-defined classes cannot be modified or deleted.
-
Only the police action is allowed under the system-cpp-policy policy-map. The police rate for system-defined classes must be configured only in packets per second (pps).
-
Removing the policer rate configuration, disables CoPP on all affected queues.
-
We recommend not disabling the policer for a system-defined class map, that is, do not configure no police rate rate pps command. Doing so affects the overall system health in case of high traffic towards the CPU. Further, even if you disable the policer rate for a system-defined class map, the systems automatically reverts to the default policer rate after system bootup in order to protect the system bring-up process.
-
The show run command does not display information about classes configured under
system-cpp policy
, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands instead.You can continue use the show run command to display information about custom policies.
-
A protocol with a huge number of CPU-bound packets may impact other protocols in the same class, as some of these protocols share the same policer. For example, Address Resolution Protocol (ARP) shares 4000 hardware policers with an array of host protocols like Telnet, Internet Control Message Protocol (ICMP), SSH, FTP, and SNMP in the system-cpp-police-forus class. If there is an ARP poisoning or an ICMP attack, hardware policers start throttling any incoming traffic that exceeds 4000 packets per second to protect the CPU and the overall integrity of the system. As a result, ARP and ICMP host protocols are dropped, along with any other host protocols that share the same class.
-
Starting from Cisco IOS XE Fuji 16.8.1a, the creation of user-defined class-maps is not supported.