Reference Guide
Control Plane Policing (CoPP)
Control plane policing (CoPP) protects the Z9500 routing, control, and line-card processors from undesired or malicious traffic
and Denial of Service (DoS) attacks by filtering control-plane flows.
CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and rate-
limiting capabilities for control-plane packets. CoPP is only applied to control-plane packets destined to CPUs on the switch, and
not to transit protocol-control packets and data traffic that is passing through the switch. CoPP prevents undesired or malicious
traffic from reaching the control-plane CPUs and rate limits legitimate control-plane traffic to acceptable limits.
Topics:
• Z9500 CoPP Implementation
• CoPP Example
• Configure Control Plane Policing
• Troubleshooting CoPP Operation
Z9500 CoPP Implementation
The Z9500 control plane consists of multi-core CPUs with internal queues for handling packets destined to the Route
Processor, Control Processor, and line-card CPUs.
On the Z9500, CoPP is implemented as a distributed architecture. In this architecture, CoPP operates simultaneously in both
distributed and aggregated modes. Distributed CoPP is achieved by applying protocol rate-limiting on each port pipe on a line
card. Aggregated CoPP is achieved by applying protocol rate-limiting followed by queue rate-limiting on the centralized control
plane on the switch. Only aggregated CoPP rate limits are user-configurable. Distributed CoPP rate limits applied at the port-
pipe level are internally derived from the aggregated CoPP configuration.
NOTE:
The CoPP configurations described in this chapter only apply to aggregated CoPP operation on the Z9500.
To configure a CoPP service policy, you create extended ACL rules and specify rate limits in QoS policies. QoS rate limits are
applied to a protocol-based ACL filter or to a CPU queue.
User-configured ACLs that filter protocol traffic flows to the control plane are automatically applied or disabled as the
corresponding protocol is enabled or disabled in the system. In this way, control packets from disabled protocols never reach the
control plane.
Protocol-based Control Plane Policing
To configure a protocol-based CoPP policy, you create an extended ACL rule for the protocol and specify the rate limit in a QoS
policy. It is not necessary to specify the CPU queue because the protocol-queue mapping is handled internally by the system. To
display the protocol-queue mapping for protocols that you can configure for protocol-based CoPP, enter the show {mac | ip |
ipv6} protocol-queue-mapping command.
Queue-based Control Plane Policing
When configuring a queue-based CoPP policy, take into account that there are twenty-four CP queues divided into groups of
eight queues for the Route Processor, Control Processor, and line-card CPUs:
● Queues 0 to 7 process packets destined to the Control Processor CPU .
● Queues 8 to 15 process packets destined to the Route Processor CPU.
● Queues 16 to 23 process packets destined to the line-card CPU.
The protocols mapped to each CPU queue and the default rate limit applied to the eight CPU queues for the Route Processor,
Control Processor, and line cards are as follows:
11
186 Control Plane Policing (CoPP)