Configuring Control Plane Policing
`
`This chapter contains the following sections:
`
`• Information About CoPP, page 1
`• Control Plane Protection, page 3
`• CoPP Policy Templates, page 7
`• CoPP and the Management Interface, page 11
`• Licensing Requirements for CoPP, page 11
`• Guidelines and Limitations for CoPP, page 11
`• Default Settings for CoPP, page 12
`• Configuring CoPP, page 12
`• Verifying the CoPP Configuration, page 14
`• Displaying the CoPP Configuration Status, page 14
`• Monitoring CoPP, page 15
`• Clearing the CoPP Statistics, page 15
`• Additional References for CoPP, page 16
`• Feature History for CoPP, page 16
`
`Information About CoPP
`Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, which ensures
`network stability, reachability, and packet delivery.
`This feature allows a policy map to be applied to the control plane. This policy map looks like a normal QoS
`policy and is applied to all traffic entering the switch from a non-management port. A common attack vector
`for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device
`interfaces.
`
` OL-26844 -01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`1
`
`Exhibit 2030
`IPR2016-00309
`
`

`
`Information About CoPP
`
`Configuring Control Plane Policing
`
`The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks,
`which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined
`to the supervisor module or CPU itself.
`The supervisor module divides the traffic that it manages into three functional components or planes:
`Data plane
`Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from
`one interface to another. The packets that are not meant for the switch itself are called the transit packets.
`These packets are handled by the data plane.
`Control plane
`Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol
`(BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These
`packets are destined to router addresses and are called control plane packets.
`Management plane
`Runs the components meant for Cisco NX-OS device management purposes such as the command-line
`interface (CLI) and Simple Network Management Protocol (SNMP).
`
`The supervisor module has both the management plane and control plane and is critical to the operation of
`the network. Any disruption or attacks to the supervisor module will result in serious network outages. For
`example, excessive traffic to the supervisor module could overload and slow down the performance of the
`entire Cisco NX-OS device. Another example is a DoS attack on the supervisor module that could generate
`IP traffic streams to the control plane at a very high rate, forcing the control plane to spend a large amount of
`time in handling these packets and preventing the control plane from processing genuine traffic.
`Examples of DoS attacks are as follows:
`• Internet Control Message Protocol (ICMP) echo requests
`• IP fragments
`• TCP SYN flooding
`
`These attacks can impact the device performance and have the following negative effects:
`• Reduced service quality (such as poor voice, video, or critical applications traffic)
`• High route processor or switch processor CPU utilization
`• Route flaps due to loss of routing protocol updates or keepalives
`• Unstable Layer 2 topology
`• Slow or unresponsive interactive sessions with the CLI
`• Processor resource exhaustion, such as the memory and buffers
`• Indiscriminate drops of incoming packets
`
`Caution
`
`It is important to ensure that you protect the supervisor module from accidental or malicious attacks by
`configuring control plane protection.
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`2
`
`OL-26844 -01
`
`

`
`Configuring Control Plane Policing
`
`Control Plane Protection
`
`Control Plane Protection
`To protect the control plane, the Cisco NX-OS device segregates different packets destined for the control
`plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets,
`which ensures that the supervisor module is not overwhelmed.
`
`Control Plane Packet Types
`Different types of packets can reach the control plane:
`Receive packets
`Packets that have the destination address of a router. The destination address can be a Layer 2 address
`(such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These
`packets include router updates and keepalive messages. Multicast packets can also be in this category
`where packets are sent to multicast addresses that are used by a router.
`Exception packets
`Packets that need special handling by the supervisor module. For example, if a destination address is
`not present in the Forwarding Information Base (FIB) and results in a miss, the supervisor module
`sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options
`set.
`Redirected packets
`Packets that are redirected to the supervisor module. Features such as Dynamic Host Configuration
`Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some
`packets to the supervisor module.
`Glean packets
`If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module
`receives the packet and sends an ARP request to the host.
`
`All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco
`NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually
`control the rate at which the supervisor module receives these packets.
`
`Classification for CoPP
`For effective protection, the Cisco NX-OS device classifies the packets that reach the supervisor modules to
`allow you to apply different rate controlling policies based on the type of the packet. For example, you might
`want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent
`to the supervisor module because the IP option is set.
`
`Rate Controlling Mechanisms
`Once the packets are classified, the Cisco NX-OS device has two different mechanisms to control the rate at
`which packets arrive at the supervisor module: policing and rate limiting.
`
` OL-26844 -01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`3
`
`

`
`CoPP Class Maps
`
`Configuring Control Plane Policing
`
`Using hardware policers, you can define separate actions for traffic that conforms to or violates certain
`conditions. These actions can transmit the packet, mark down the packet, or drop the packet.
`You can configure the following parameters for policing:
`Committed information rate (CIR)
`Desired bandwidth, specified as a bit rate.
`Committed burst (BC)
`Size of a traffic burst that can exceed the CIR within a given unit of time and not impact scheduling.
`
`CoPP Class Maps
`The following table shows the available class maps and their configurations.
`
`Table 1: Class Map Configurations and Descriptions
`
`Class Map
`class-map type control-plane
`match-any copp-system-class-arp
`
`Configuration
`match protocol arp
`match protocol nd
`
`Description
`Class matches all ARP packets.
`Class matches all ARP packets and
`ND (NA, NS, RA, and RS)
`packets.
`
`class-map type control-plane
`match-any copp-system-class-bgp
`
`class-map type control-plane
`match-any
`copp-system-class-bridging
`
`class-map type control-plane
`match-any copp-system-class-cdp
`
`class-map type control-plane
`match-any
`copp-system-class-default
`
`match protocol bgp
`
`Class matches all BGP packets.
`
`match protocol bridging
`
`Class matches all STP and RSTP
`frames.
`
`match protocol cdp
`
`Class matches all CDP frames.
`
`match protocol default
`
`Class matches all frames. Used for
`the default policer.
`
`class-map type control-plane
`match-any copp-system-class-dhcp
`
`match protocol dhcp
`
`class-map type control-plane
`match-any copp-system-class-eigrp
`
`match protocol eigrp
`match protocol eigrp6
`
`Class matches all IPv4 DHCP
`packets
`Class matches all both IPv4 DHCP
`packets.
`
`Class matches all IPv4 EIGRP
`packets.
`Class matches both IPv4 and IPv6
`EIGRP packets.
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`4
`
`OL-26844 -01
`
`

`
`Configuring Control Plane Policing
`
`Class Map
`class-map type control-plane
`match-any
`copp-system-class-exception
`
`Configuration
`match protocol exception
`
`class-map type control-plane
`match-any
`copp-system-class-excp-ip-frag
`
`match protocol ip_frag
`
`class-map type control-plane
`match-any
`copp-system-class-excp-same-if
`
`match protocol same-if
`
`class-map type control-plane
`match-any
`copp-system-class-excp-ttl
`
`match protocol ttl
`
`class-map type control-plane
`match-any copp-system-class-fip
`
`match protocol fip
`
`class-map type control-plane
`match-any copp-system-class-glean
`
`match protocol glean
`
`class-map type control-plane
`match-any
`copp-system-class-hsrp-vrrp
`
`match protocol hsrp_vrrp
`match protocol hsrp6
`
`match protocol icmp_echo
`
`class-map type control-plane
`match-any
`copp-system-class-icmp-echo
`
`class-map type control-plane
`match-any copp-system-class-igmp
`
`CoPP Class Maps
`
`Description
`Class matches all IP packets that
`are treated as exception packets
`(except TTL exception, IP
`Fragment exception and Same
`Interface exception packets) for IP
`routing purposes, such as packets
`with a Martian destination address
`or with an MTU failure.
`
`Class matches all IP packets that
`are fragments. (These packets are
`treated as exception packets from
`an IP routing perspective).
`
`Class matches all IP packets that
`are treated as exception packets for
`IP routing. The packets are
`matched because they are received
`from the interface where their
`destination is supposed to be.
`
`Class matches all packets that are
`treated as TTL exception packets
`(when TTL is 0) from a IP routing
`perspective.
`
`Class matches all packets
`belonging to the FCoE
`Initialization Protocol.
`
`Class matches HSRP and VRRP
`packets.
`Class matches IPv4 HSRP, VRRP
`and IPv6 HSRP packets
`
`Class matches all ICMP Echo
`(Ping) packets.
`
`match protocol igmp
`
`Class matches all IGMP packets.
`
`class-map type control-plane
`match-any copp-system-class-isis
`
`match protocol isis_dce
`
`Class matches Fabricpath ISIS
`packets and ignores router ISIS
`packets.
`
` OL-26844 -01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`5
`
`

`
`CoPP Class Maps
`
`Configuring Control Plane Policing
`
`Class Map
`class-map type control-plane
`match-any
`copp-system-class-l3dest-miss
`
`Configuration
`match protocol unicast
`
`Description
`Class matches all unicast routed
`packets that did not find a
`destination in the FIB.
`
`class-map type control-plane
`match-any copp-system-class-lacp
`
`match protocol lacp
`
`Class matches all Link Aggregation
`Control Protocol (LACP) frames.
`
`match protocol lldp_dcx
`
`Class matches all LLDP frames.
`
`Class matches all IP multicast last
`hop packets.
`
`Class matches all IP multicast
`frames that could not be routed
`because they did not have an entry
`in the FIB.
`
`Class matches all
`management-related frames, such
`as SNMP, HTTP, NTP, Telnet, and
`SSH.
`
`class-map type control-plane
`match-any copp-system-class-lldp
`
`class-map type control-plane
`match-any-copp-system-class-mcast-last-hop
`
`class-map type control-plane
`match-any
`copp-system-class-mcast-miss
`
`match protocol mcast_last_hop
`
`match protocol multicast
`
`class-map type control-plane
`match-any
`copp-system-class-mgmt
`
`match protocol mgmt
`
`class-map type control-plane
`match-any copp-system-class-msdp
`
`match protocol msdp
`
`Class matches MSDP packets.
`
`class-map type control-plane
`match-any copp-system-class-ospf
`
`match protocol ospf
`match protocol ospfv3
`
`Class matches OSPF and OSPFv3
`Protocol packets.
`
`class-map type control-plane
`match-any
`copp-system-class-pim-hello
`
`class-map type control-plane
`match-any
`copp-system-class-pim-register
`
`class-map type control-plane
`match-any copp-system-class-rip
`
`class-map type control-plane
`match-any
`copp-system-class-rpf-fail
`
`class-map type control-plane
`match-any copp-system-class-udld
`
`match protocol pim
`
`Class matches all PIM Hello
`packets.
`
`match protocol reg
`
`Class matches all PIM Register
`packets.
`
`match protocol rip
`
`Class matches all RIP packets.
`
`match protocol rpf_fail
`
`Class matches all RPF failure
`packets.
`
`match protocol udld
`
`Class matches all UDLD frames.
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`6
`
`OL-26844 -01
`
`

`
`Configuring Control Plane Policing
`
`CoPP Policy Templates
`
`CoPP Policy Templates
`When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default
`copp-system-policy to protect the supervisor module from DoS attacks. You can choose the CoPP policy
`template for your deployment scenario by specifying CoPP policy options from the initial setup utility:
`• Default CoPP Policy (copp-system-policy-default)
`• Scaled Layer 2 CoPP Policy (copp-system-policy-scaled-l2)
`• Scaled Layer 3 CoPP Policy (copp-system-policy-scaled-l3)
`• Customized CoPP Policy (copp-system-policy-customized)
`
`If you do not select an option or choose not to execute the setup utility, the Cisco NX-OS software applies
`the Default policing. Cisco recommends starting with the default policy and later modifying the CoPP policies
`as required.
`The default copp-system-policy-default policy has optimized values suitable for basic device operations.
`You can change which CoPP policy is used by using the service-policy input policy-name command in the
`control plane configuration mode.
`
`Default CoPP Policy
`The copp-system-policy-default policy is applied to the switch by default. It has the classes with policer rates
`that should suit most network installations. You cannot modify this policy or the class maps associated with
`it. In addition, you cannot modify the class map configurations in this policy.
`This policy has the following configuration:
`
`policy-map type control-plane copp-system-policy-default
`class copp-system-class-igmp
`police cir 1024 kbps bc 65535 bytes
`class copp-system-class-pim-hello
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-bridging
`police cir 20000 kbps bc 4800000 bytes
`class copp-system-class-arp
`police cir 1024 kbps bc 3600000 bytes
`class copp-system-class-dhcp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-mgmt
`police cir 12000 kbps bc 4800000 bytes
`class copp-system-class-lacp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-lldp
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-udld
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-isis
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-msdp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-cdp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-fip
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-bgp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-eigrp
`
` OL-26844 -01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`7
`
`

`
`Scaled Layer 2 CoPP Policy
`
`Configuring Control Plane Policing
`
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-exception
`police cir 64 kbps bc 4800000 bytes
`class copp-system-class-glean
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-hsrp-vrrp
`police cir 1024 kbps bc 256000 bytes
`class copp-system-class-icmp-echo
`police cir 64 kbps bc 3600000 bytes
`class copp-system-class-ospf
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-pim-register
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-rip
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-l3dest-miss
`police cir 64 kbps bc 256000 bytes
`class copp-system-class-mcast-miss
`police cir 256 kbps bc 3200000 bytes
`class copp-system-class-excp-ip-frag
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-excp-same-if
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-excp-ttl
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-default
`police cir 512 kbps bc 6400000 bytes
`
`Scaled Layer 2 CoPP Policy
`The copp-system-policy-scaled policy has most classes with policer rates that are same as the default policy.
`However, it has higher policer rates for IGMP and ISIS. You cannot modify this policy or the class maps
`associated with it. In addition, you cannot modify the class map configurations in this policy.
`This policy has the following configuration:
`
`policy-map type control-plane copp-system-policy-scaled-l2
`class copp-system-class-igmp
`police cir 4096 kbps bc 264000 bytes
`class copp-system-class-pim-hello
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-bridging
`police cir 20000 kbps bc 4800000 bytes
`class copp-system-class-arp
`police cir 1024 kbps bc 3600000 bytes
`class copp-system-class-dhcp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-mgmt
`police cir 12000 kbps bc 4800000 bytes
`class copp-system-class-lacp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-lldp
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-udld
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-isis
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-msdp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-cdp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-fip
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-bgp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-eigrp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-exception
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`8
`
`OL-26844 -01
`
`

`
`Configuring Control Plane Policing
`
`Scaled Layer 3 CoPP Policy
`
`police cir 64 kbps bc 4800000 bytes
`class copp-system-class-glean
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-hsrp-vrrp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-icmp-echo
`police cir 64 kbps bc 3600000 bytes
`class copp-system-class-ospf
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-pim-register
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-rip
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-l3dest-miss
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-mcast-miss
`police cir 256 kbps bc 3200000 bytes
`class copp-system-class-excp-ip-frag
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-excp-same-if
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-excp-ttl
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-default
`police cir 512 kbps bc 6400000 bytes
`
`Scaled Layer 3 CoPP Policy
`The copp-system-policy-scaled-l3 policy has most classes with policer rates that are same as the default policy.
`However, it has higher policer rates for IGMP, ICMP Echo, ISIS, Mcast-miss, and Glean related classes. You
`cannot modify this policy or the class maps associated with it. In addition, you cannot modify the class map
`configurations in this policy.
`This policy has the following configuration:
`
`policy-map type control-plane copp-system-policy-scaled-l3
`class copp-system-class-igmp
`police cir 4096 kbps bc 264000 bytes
`class copp-system-class-pim-hello
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-bridging
`police cir 20000 kbps bc 4800000 bytes
`class copp-system-class-arp
`police cir 4000 kbps bc 3600000 bytes
`class copp-system-class-dhcp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-mgmt
`police cir 12000 kbps bc 4800000 bytes
`class copp-system-class-lacp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-lldp
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-udld
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-isis
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-msdp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-cdp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-fip
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-bgp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-eigrp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-exception
`police cir 64 kbps bc 4800000 bytes
`
` OL-26844 -01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`9
`
`

`
`Customizable CoPP Policy
`
`Configuring Control Plane Policing
`
`class copp-system-class-glean
`police cir 4000 kbps bc 4800000 bytes
`class copp-system-class-hsrp-vrrp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-icmp-echo
`police cir 4000 kbps bc 3600000 bytes
`class copp-system-class-ospf
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-pim-register
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-rip
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-l3dest-miss
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-mcast-miss
`police cir 4000 kbps bc 3200000 bytes
`class copp-system-class-excp-ip-frag
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-excp-same-if
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-excp-ttl
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-default
`police cir 512 kbps bc 6400000 bytes
`
`Customizable CoPP Policy
`The copp-system-policy-customized policy is configured identically to the default policy, but can be customized
`for different class map information rates and burst sizes.
`You cannot add or delete any of the class maps configured in this policy.
`
`Important
`
`This policy is meant for advanced users. We recommend that you use extreme caution when configuring
`this policy and test it extensively before deploying it in your production network.
`
`This policy has the following configuration:
`
`policy-map type control-plane copp-system-policy-customized
`class copp-system-class-igmp
`police cir 1024 kbps bc 65535 bytes
`class copp-system-class-pim-hello
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-bridging
`police cir 20000 kbps bc 4800000 bytes
`class copp-system-class-arp
`police cir 1024 kbps bc 3600000 bytes
`class copp-system-class-dhcp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-mgmt
`police cir 12000 kbps bc 4800000 bytes
`class copp-system-class-lacp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-lldp
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-udld
`police cir 2048 kbps bc 4800000 bytes
`class copp-system-class-isis
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-msdp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-cdp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-fip
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-bgp
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`10
`
`OL-26844 -01
`
`

`
`Configuring Control Plane Policing
`
`CoPP and the Management Interface
`
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-eigrp
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-exception
`police cir 64 kbps bc 4800000 bytes
`class copp-system-class-glean
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-hsrp-vrrp
`police cir 1024 kbps bc 4800000 bytes
`class copp-system-class-icmp-echo
`police cir 64 kbps bc 3600000 bytes
`class copp-system-class-ospf
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-pim-register
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-rip
`police cir 9600 kbps bc 4800000 bytes
`class copp-system-class-l3dest-miss
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-mcast-miss
`police cir 256 kbps bc 3200000 bytes
`class copp-system-class-excp-ip-frag
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-excp-same-if
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-excp-ttl
`police cir 64 kbps bc 3200000 bytes
`class copp-system-class-default
`police cir 512 kbps bc 6400000 bytes
`
`CoPP and the Management Interface
`The Cisco NX-OS device supports only hardware-based CoPP which does not support the management
`interface (mgmt0). The out-of-band mgmt0 interface connects directly to the CPU and does not pass through
`the in-band traffic hardware where CoPP is implemented.
`On the mgmt0 interface, ACLs can be configured to give or deny access to a particular type of traffic.
`
`Licensing Requirements for CoPP
`This feature does not require a license. Any feature not included in a license package is bundled with the Cisco
`NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco
`NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
`
`Guidelines and Limitations for CoPP
`CoPP is a feature that is enabled by default in the switch. You cannot enable or disable CoPP.
`• Only one control-plane policy can be applied at a time.
`• Removing a CoPP policy applies the default CoPP policy. In this way, a CoPP policy is always applied.
`• You cannot add or delete any classes or policies.
`• You cannot change the order of the classes or remove a class from any policy.
`• You cannot modify the default, the Scaled Layer-2, or the Scaled Layer 3 policies. However, you can
`modify the information rate and burst size of the classes in the customized policy.
`
` OL-26844 -01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`11
`
`

`
`Default Settings for CoPP
`
`Configuring Control Plane Policing
`
`• The customized policy configuration is the same as the default policy configuration, unless the customized
`policy has been modified.
`• When upgrading from a previous release, the default CoPP policy is enabled by default on the switch.
`• After modifying the customized policy or changing the applied policy, the statistical counters are reset.
`• After you perform an ISSU, the statistical counters are reset.
`• Cisco recommends that you use the default CoPP policy initially and then later determine which of the
`CoPP policies to use based on the data center and application requirements.
`• Customizing CoPP is an ongoing process. CoPP must be configured according to the protocols and
`features used in your specific environment as well as the supervisor features that are required by the
`server environment. As these protocols and features change, CoPP must be modified.
`• Cisco recommends that you continuously monitor CoPP. If drops occur, determine if CoPP dropped
`traffic unintentionally or in response to a malfunction or attack. In either event, analyze the situation
`and evaluate the need to use a different CoPP policy or modify the customized CoPP policy.
`• All the traffic that you do not specify in the other class maps is put into the last class, the default class.
`• The Cisco NX-OS software does not support egress CoPP or silent mode. CoPP is supported only on
`ingress (you cannot use the service-policy output copp command to the control plane interface).
`
`Note
`
`If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature
`might differ from the Cisco IOS commands that you would use.
`
`Default Settings for CoPP
`This table lists the default settings for CoPP parameters.
`
`Table 2: Default CoPP Parameters Settings
`
`Parameters
`Default policy
`
`Default policy
`
`Default
`copp-system-policy-default
`
`9 policy entries
`The maximum number of supported policies
`Note
`with associated class maps is 128.
`
`Configuring CoPP
`
`Applying a CoPP Policy to the Switch
`You can apply one of the following CoPP policies to the switch:
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`12
`
`OL-26844 -01
`
`

`
`Configuring Control Plane Policing
`
`Modifying the Customized CoPP Policy
`
`• Default CoPP Policy (copp-system-policy-default).
`• Scaled Layer 2 CoPP Policy (copp-system-policy-scaled-l2).
`• Scaled Layer 3 CoPP Policy (copp-system-policy-scaled-l3).
`• Customized CoPP Policy (copp-system-policy-customized).
`
`Command or Action
`switch# configure terminal
`
`Purpose
`Enters global configuration mode.
`
`switch(config) # control-plane
`switch(config-cp) # service-policy
`input policy-map-name
`
`Enters control-plane mode.
`Applies the specified CoPP policy map. The
`policy-map-name can be copp-system-policy-default,
`copp-system-policy-scaled-l2,
`copp-system-policy-scaled-l3, or
`copp-system-policy-customized.
`
`Saves the change persistently through reboots and
`restarts by copying the running configuration to the
`startup configuration.
`
`Procedure
`
`Step 1
`
`Step 2
`Step 3
`
`Step 4
`
`switch(config-cp) # copy
`running-config startup-config
`
`This example shows how to apply a CoPP policy to the device:
`switch# configure terminal
`switch(config)# control-plane
`switch(config-cp) # service-policy input copp-system-policy-default
`switch(config-cp) # copy running-config startup-config
`
`Modifying the Customized CoPP Policy
`You can only modify the information rates and burst sizes of the class maps configured in this policy.
`
`Procedure
`
`Step 1
`
`Step 2
`
`Step 3
`
`Step 4
`
`Command or Action
`switch# configure terminal
`
`switch(config)# policy-map type
`control-plane
`copp-system-policy-customized
`switch(config-pmap)# class
`class-map-name
`
`Purpose
`Enters global configuration mode.
`
`Enters configuration mode for the customized CoPP
`policy.
`
`Specifies one of the 28 predefined class-maps listed
`in any CoPP predefined policy.
`
`switch(config-pmap-c)# police cir
`rate-value kbps bc buffer-size bytes
`
`Configures the committed information rate (CIR)
`and committed burst size (BC). The range for cir is
`
` OL-26844 -01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`13
`
`

`
`Verifying the CoPP Configuration
`
`Configuring Control Plane Policing
`
`Command or Action
`
`Step 5
`
`switch(config-pmap-c) # copy
`running-config startup-config
`
`Purpose
`from 1 to 20480. The range for bc is from 1500 to
`6400000.
`
`Saves the change persistently through reboots and
`restarts by copying the running configuration to the
`startup configuration.
`
`This example shows how to modify the customized CoPP policy:
`switch(config)# policy-map type control-plane copp-system-policy-customized
`switch(config-pmap)# class copp-system-class-bridging
`switch(config-pmap-c)# police cir 10000 kbps bc 2400000 bytes
`
`Verifying the CoPP Configuration
`Use one of the following commands to verify the configuration:
`
`Command
`show policy-map type control-plane [expand]
`[name policy-map-name]
`
`Purpose
`Displays the control plane policy map with associated
`class maps.
`
`show policy-map interface control-plane
`
`Displays the policy values with associated class maps
`and drops per policy or class map.
`
`show class-map type control-plane
`[class-map-name]
`
`Displays the control plane class map configuration,
`including the ACLs that are bound to this class map.
`
`Displaying the CoPP Configuration Status
`
`Procedure
`
`Step 1
`
`Command or Action
`switch# show copp status
`
`Purpose
`Displays the configuration status for the CoPP
`feature.
`
`This example shows how to display the CoPP configuration status:
`switch# show copp status
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`14
`
`OL-26844 -01
`
`

`
`Configuring Control Plane Policing
`
`Monitoring CoPP
`
`Monitoring CoPP
`
`Procedure
`
`Step 1
`
`Command or Action
`switch# show policy-map
`interface control-plane
`
`Purpose
`Displays packet-level statistics for all classes that are part of the
`applied CoPP policy. For example, Conformed and Violated packet
`counters.
`Statistics are specified in terms of OutPackets (packets admitted
`to the control plane) and DropPackets (packets dropped because
`of rate limiting).
`
`This example shows how to monitor CoPP:
`switch# show policy-map interface control-plane
`Control Plane
`service-policy input: copp-system-policy-default
`class-map copp-system-class-igmp (match-any)
`match protocol igmp
`police cir 1024 kbps , bc 65535 bytes
`conformed 0 bytes; action: transmit
`violated 0 bytes;
`class-map copp-system-class-pim-hello (match-any)
`match protocol pim
`police cir 1024 kbps , bc 4800000 bytes
`conformed 0 bytes; action: transmit
`violated 0 bytes;
`....
`
`Clearing the CoPP Statistics
`
`Procedure
`
`Step 1
`
`Command or Action
`switch# show policy-map interface
`control-plane
`
`Purpose
`(Optional)
`Displays the currently applied CoPP policy and
`per-class statistics.
`
`Step 2
`
`switch# clear copp statistics
`
`Clears the CoPP statistics.
`
`This example shows how to clear the CoPP statistics for your installation:
`switch# show policy-map interface control-plane
`switch# clear copp statistics
`
` OL-26844 -01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.2(1)N1(1)
`
`15
`
`

`
`Additional References for CoPP
`
`Configuring Control Plane Poli