Setup Guide
Control Plane Policing (CoPP)
Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious trac and Denial
of Service (DoS) attacks by ltering control-plane ows.
CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide ltering and rate-limiting
capabilities for control-plane packets. CoPP is only applied to control-plane packets destined to CPUs on the switch, and not to transit
protocol-control packets and data trac that is passing through the switch. CoPP prevents undesired or malicious trac from reaching the
control-plane CPUs and rate limits legitimate control-plane trac to acceptable limits.
Topics:
• CoPP Implementation
• CoPP Example
• Congure Control Plane Policing
• Troubleshooting CoPP Operation
CoPP Implementation
The system’s control plane consists of multi-core CPUs with internal queues for handling packets destined to the Route Processor, Control
Processor, and line-card CPUs.
On the system, CoPP is implemented as a distributed architecture. In this architecture, CoPP operates simultaneously in both distributed
and aggregated modes. Distributed CoPP is achieved by applying protocol rate-limiting on each port pipe on a line card. Aggregated CoPP
is achieved by applying protocol rate-limiting followed by queue rate-limiting on the centralized control plane switch.
To congure a CoPP service policy, you create extended ACL rules and specify rate limits in QoS policies. QoS rate limits are applied to a
protocol-based ACL lter or to a CPU queue.
User-congured ACLs that lter protocol trac ows to the control plane are automatically applied or disabled as the corresponding
protocol is enabled or disabled in the system. In this way, control packets from disabled protocols never reach the control plane.
Protocol-based Control Plane Policing
To congure a protocol-based CoPP policy, you create an extended ACL rule for the protocol and specify the rate limit in a QoS policy. It is
not necessary to specify the CPU queue because the protocol to queue mapping is handled internally by the system. To display the
protocol-queue mapping for protocols that you can congure for protocol-based CoPP, enter the
show {mac | ip | ipv6} protocol-queue-
mapping command.
Queue-based Control Plane Policing
When conguring a queue-based CoPP policy, take into account that there are twenty-one CP queues divided into groups of 7 queues for
the Route Processor, Control Processor, and line-card CPUs:
• Queues 0 to 6 process packets destined to the Control Processor CPU.
• Queues 7 to 13 process packets destined to the Route Processor CPU.
10
Control Plane Policing (CoPP) 249