Connectivity Guide
Control-plane policing
Control-plane policing (CoPP) increases security on the system by protecting the route processor from unnecessary trac and giving
priority to important control plane and management trac. CoPP uses a dedicated control plane conguration through the QoS CLIs to set
rate-limiting capabilities for control plane packets.
If the rate of control packets towards the CPU is higher than the packet rate that the CPU can handle, CoPP provides a method to
selectively drop some of the control trac so that the CPU can process high-priority control trac. You can use CoPP to rate-limit trac
through each CPU port queue of the network processor (NPU).
CoPP applies policy actions on all control-plane trac. The control-plane class map does not use any match criteria. To enforce rate-limiting
or rate policing on control-plane trac, create policy maps. You can use the control-plane command to attach the CoPP service
policies directly to the control-plane.
Starting from release 10.4.2, the default rate limits change from 12 to 21 CPU queues and the protocols mapped to each CPU queue.
NOTE: When you upgrade from a previous release to release 10.4.2 and you have CoPP policy with rate limits congured in the
previous release, the CoPP policies are automatically remapped based on the new CoPP protocol mappings to queues. For
example:
• You have a CoPP policy congured for queue 5 in release 10.4.1, which is for ARP Request, ICMPv6-RS-NS, iSCSI snooping, and
iSCSI-COS.
• After upgrade to release 10.4.2, the CoPP policy for queue 5 is remapped based on the new CoPP protocol mappings to queues as
follows:
– ARP Request is mapped to queue 6
– ICMPv6-RS-NS is mapped to queue 5
– iSCSI is mapped to queue 0
The rate limit conguration in CoPP policy before upgrade is automatically remapped to queues 6, 5, and 0 respectively after
upgrade.
For example, in release 10.4.1, the following policy conguration is applied on queue 5, which in 10.4.1 is mapped to ARP_REQ,
ICMPV6_RS, ICMPV6_NS, and ISCSI protocols:
policy-map type control-plane test
!
class test
set qos-group 5
police cir 300 pir 300
After upgrade to release 10.4.2, the policy conguration appears as follows:
policy-map type control-plane test
!
class test_Remapped_0
set qos-group 0
police cir 300 pir 300
!
class test_Remapped_5
set qos-group 5
police cir 300 pir 300
!
class test_Remapped_6
set qos-group 6
police cir 300 pir 300
In release 10.4.2, ARP_REQ is mapped to queue 6, ICMPV6_RS and ICMPV6_NS are mapped to queue 5, and ISCSI is mapped to
queue 0.
968
Quality of service