General Guidelines For Control Plane Policing - Cisco Catalyst 4500 Series Software Configuration Manual

Configuring Control Plane Policing

General Guidelines for Control Plane Policing

Guidelines for control plane policing include the following:
•
•
•
•
•
•
•
Default Configuration
CoPP is disabled by default.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
57-4
If a given traffic class does not have a designated class map, and you want to protect this traffic, we
recommend that you:
– Create specific class maps for such unknown traffic packets and add the user-defined class maps
to system-cpp-policy.
Or, rate-limit such traffic to prevent CPU hogging.
–
For instance, in a VSS setup, if you have defined class map cpp-vsl-mgmt for VSL management
traffic (exclusively Layer 2 packets), do not use the cpp-vsl-mgmt class map to protect supervisor
keep-alive traffic (IP packets), or BFD packets. This can cause VSL link failures. Instead, create
separate class maps, such as cpp-ip for supervisor keep-alive traffic, and cpp-bfd for BFD packets.
VSL link failures may also ensue if you enter class-default as the class name for traffic that does not
have a designated class map.
Port security might cancel the effect of CoPP for non-IP control packets.
Although source MAC learning on a Catalyst 4500 series switch is performed in software, learning
control packets' source MAC addresses (for example, IEEE BPDU, CDP, SSTP BPDU, GARP/) is
not allowed. After you configure port security on a port where you expect a high rate of potentially
unanticipated control packets, the system generates a copy of the packet to the CPU (until the source
address is learned), instead of forwarding it.
The current architecture of the Catalyst 4500 supervisor engine does not allow you to apply policing
on the copy of packets sent to the CPU. You can only apply policing on packets that are forwarded
to the CPU. Copies of packets are sent to the CPU at the same rate as control packets, and port
security is not triggered because learning from control packets is not allowed. Policing is not applied
because the packet copy, not the original, is sent to the CPU.
ARP policing is not supported on either the classic series supervisor engines (i.e., supervisor engines
prior to Supervisor Engine 7-E) or fixed configuration switches. It is supported on the Catalyst
4900M and 4948E switches, Supervisor Engine 6-E, and Supervisor Engine 6L-E (use "match
protocol arp" to classify).
Only ingress CoPP is supported; control-plane related CLIs support only the input keyword.
Use ACLs and class-maps to identify data plane and management plane traffic that are handled by
CPU.
"police" is the only action supported in CoPP policy-map.
Avoid using the log keyword in the CoPP policy ACLs.
Chapter 57 Configuring Control Plane Policing and Layer 2 Control Packet QoS