Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
61626364656667686970
62
OL-11615-01
7. Critical Applications
This class defines application traffic that is crucial to a specific network. The protocols that might
be included in this class include generic routing encapsulation (GRE), Hot Standby Router Protocol
(HSRP), Virtual Router Redundancy Protocol (VRRP), Dynamic Host Configuration Protocol
(DHCP), IPSec, and multicast traffic.
8. Undesirable
This explicitly identifies unwanted or malicious traffic that should be dropped and denied access to
the RP. For example, this class could contain packets from a well-known worm. This class is
particularly useful when specific traffic destined to the router should always be denied rather than
be placed into a default category. Explicitly denying traffic allows you to collect rough statistics on
this traffic using show commands and thereby offers some insight into the rate of denied traffic.
9. Default
This class defines all remaining traffic destined to the RP that does not match any other class. MQC
provides the Default class so you can specify how to treat traffic that is not explicitly associated with
any other user-defined classes. It is desirable to give such traffic access to the RP but at a highly
reduced rate.
With a default classification in place, statistics can be monitored to determine the rate of otherwise
unidentified traffic destined to the control plane. After this traffic is identified, further analysis can be
performed to classify it. If needed, the other CoPP policy entries can be updated to account for this
traffic.
Note On Supervisors 32 and 720 the default class (class-default) is the only traffic class that matches both IP
and non-IP packets.
Recommended CoPP Deployment Methodology
Because CoPP filters traffic, it is critical to gain an adequate level of understanding about the legitimate
traffic destined to the RP prior to deployment. CoPP policies built without proper understanding of the
protocols, devices, or required traffic rates involved can block critical traffic. This has the potential of
creating a DoS condition. Determining the exact traffic profile needed to build the CoPP policies might
be difficult in some networks.
The following steps follow a conservative methodology that facilitates the process of designing and
deploying CoPP. This methodology uses iterative ACL configurations to help identify and to
incrementally filter traffic.
To deploy CoPP, perform the following steps:
Step 1 Determine the classification scheme for your network.
Identify the known protocols that access the RP and divide them into categories using the most useful
criteria for your specific network. In the case of the Catalyst 4500 Series switch, you can take advantage
of the system predefined classes, and chose to combine them with your own classes. In the case of
Catalyst 6500 there are no predefined classes, so you need to define all the classes. As an example of
classification, the nine categories template presented earlier in this section (BGP, IGP, Interactive
Management, File Management, Reporting, Critical Applications, Undesirable, and Default) uses a
combination of relative importance and traffic type. Select a scheme suited to your specific network,
which might require a larger or smaller number of classes.
Step 2 Define classification ACLs.