Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch

OL-11615-01

! Allow the router to receive NTP packets from a known clock source

permit udp host 10.2.2.3 host 10.1.1.1 eq ntp

! The File Management class is for file transfer traffic required

! for software and configuration maintenance, in this example, TFTP

! and FTP is classified in this class

ip access-list extended coppacl-filemanagement

remark CoPP file management traffic class

! Allow router initiated FTP (active and passive)

permit tcp 10.2.1.0 0.0.0.255 eq 21 host 10.1.1.1 gt 1023 established

permit tcp 10.2.1.0 0.0.0.255 eq 20 host 10.1.1.1 gt 1023

permit tcp 10.2.1.0 0.0.0.255 gt 1023 host 10.1.1.1 gt 1023 established

! Allow router initiated TFTP

permit udp 10.2.1.0 0.0.0.255 gt 1023 host 10.1.1.1 gt 1023

! The monitoring class is used for traffic that is required for

! monitoring the system. Monitoring traffic is traffic that we expect

! to see destined to the router and want to track and limit

ip access-list extended coppacl-monitoring

remark CoPP monitoring traffic class

! permit router originated traceroute

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

! permit receipt of responses to router originated pings

permit icmp any any echo-reply

! allow pings to router/switch

permit icmp any any echo

! The critical-app class is used for traffic that is crucial to

! the particular customer's environment. In this example, HSRP

! and DHCP are used.

ip access-list extended coppacl-critical-app

remark CoPP critical apps traffic class

! permit HSRP

permit ip any host 224.0.0.2

! permit DHCP requests

permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

! permit DHCP replies from DHCP server

permit udp host 10.2.2.8 eq bootps any eq bootps

! This ACL identifies traffic that should always be blocked from

! accessing the Route Processor. Once undesirable traffic flow is

! identified, an ACE entry classifying it can be added and mapped to the

! undesirable traffic class. This can be used as a reaction tool.

ip access-list extended coppacl-undesirable

remark explicitly defined "undesirable" traffic

! permit, for policing, all traffic destined to UDP 1434

permit udp any any eq 1434

When the control plane traffic has been classified, the next step is to define the policy action for each

traffic class. In this example, our intention is to deploy a policy that protects the router while limiting

the risk of dropping critical traffic. To that end, CoPP policies are configured to permit each traffic class

with an appropriate rate limit.

Table 3 shows the parameters used in the CoPP policies.

Ta b l e 3 Sample CoPP Policy

Traffic Class Rate (bps) Conform Action Exceed Action

BGP 4,000,000 Transmit Drop

IGP 300,000 Transmit Drop

Interactive management 500,000 Transmit Drop