Manualshelf

Concept Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch
241242243244245246247248249250
Control Plane Policing (CoPP)
Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious trac and Denial
of Service (DoS) attacks by ltering control-plane ows.
CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide ltering and rate-limiting
capabilities for control-plane packets. CoPP is only applied to control-plane packets destined to CPUs on the switch, and not to transit
protocol-control packets and data trac that is passing through the switch. CoPP prevents undesired or malicious trac from reaching the
control-plane CPUs and rate limits legitimate control-plane trac to acceptable limits.
Topics:
CoPP Implementation
CoPP Example
Congure Control Plane Policing
Troubleshooting CoPP Operation
CoPP Implementation
The system’s control plane consists of multi-core CPUs with internal queues for handling packets destined to the Route Processor, Control
Processor, and line-card CPUs.
On the system, CoPP is implemented as a distributed architecture. In this architecture, CoPP operates simultaneously in both distributed
and aggregated modes. Distributed CoPP is achieved by applying protocol rate-limiting on each port pipe on a line card. Aggregated CoPP
is achieved by applying protocol rate-limiting followed by queue rate-limiting on the centralized control plane switch.
To congure a CoPP service policy, you create extended ACL rules and specify rate limits in QoS policies. QoS rate limits are applied to a
protocol-based ACL lter or to a CPU queue.
User-congured ACLs that lter protocol trac ows to the control plane are automatically applied or disabled as the corresponding
protocol is enabled or disabled in the system. In this way, control packets from disabled protocols never reach the control plane.
Protocol-based Control Plane Policing
To congure a protocol-based CoPP policy, you create an extended ACL rule for the protocol and specify the rate limit in a QoS policy. It is
not necessary to specify the CPU queue because the protocol to queue mapping is handled internally by the system. To display the
protocol-queue mapping for protocols that you can congure for protocol-based CoPP, enter the
show {mac | ip | ipv6} protocol-queue-
mapping command.
Queue-based Control Plane Policing
When conguring a queue-based CoPP policy, take into account that there are twenty-one CP queues divided into groups of 7 queues for
the Route Processor, Control Processor, and line-card CPUs:
Queues 0 to 6 process packets destined to the Control Processor CPU.
Queues 7 to 13 process packets destined to the Route Processor CPU.
10
Control Plane Policing (CoPP) 249