Leaflet
66
OL-11615-01
Note The rates defined in Table 3 were successfully tested on a Cisco Catalyst 6500 Series switch with
Supervisor 720. It is important to note that the values presented here are solely for illustration purposes,
every environment will have different baselines.
The following is the policy for the configuration shown in Table 3:
! Define a class for each "type" of traffic and associate it with an ACL
class-map match-all coppclass-bgp
match access-group name coppacl-bgp
class-map match-all coppclass-igp
match access-group name coppacl-igp
class-map match-all coppclass-interactivemanagement
match access-group name coppacl-interactivemanagement
class-map match-all coppclass-filemanagement
match access-group name coppacl-filemanagement
class-map match-all coppclass-monitoring
match access-group name coppacl-monitoring
class-map match-all coppclass-critical-app
match access-group name coppacl-critical-app
class-map match-all coppclass-undesirable
match access-group name coppacl-undesirable
!
! This is the actual policy. Depending on class of traffic, rates and associated actions
! are defined
policy-map copp-policy
!
! BGP traffic is limited to a rate of 4,000,000 bps, if traffic exceeds
! that rate it is dropped. NOTE: In this example BGP traffic is rate-limited
! to control attacks based on BGP packets. Once the normal rates are determined,
! and depending on the hardware platform used, it's recommended you consider
! readjusting the rate-limiting parameters.
class coppclass-bgp
police cir 4000000 bc 400000 be 400000 conform-action transmit exceed-action drop
!
! IGP traffic is limited to a rate of 300,000 bps, if traffic exceeds
! that rate it is dropped.
class coppclass-igp
police cir 300000 bc 3000 be 3000 conform-action transmit exceed-action drop
!
! Interactive Management traffic is limited to a rate of 500,000 bps, if traffic
! exceeds that rate it is dropped
class coppclass-interactivemanagement
police cir 500000 bc 5000 be 5000 conform-action transmit exceed-action drop
!
! File Management traffic is limited to a rate of 6,000,000 bps, if traffic exceeds
! that rate it is dropped
class coppclass-filemanagement
police cir 6000000 bc 60000 be 60000 conform-action transmit exceed-action drop
File management 6,000,000 Transmit Drop
Monitoring 900,000 Transmit Drop
Critical applications 900,000 Transmit Drop
Undesirable 32,000 Drop Drop
Default 500,000 Transmit Drop
Table 3 Sample CoPP Policy