Cisco Nexus 3600 NX-OS Security Configuration Manual page 140

Guidelines and Limitations for CoPP
• You can use the access control entry (ACE) hit counters in the hardware only for ACL logic. Use the
software ACE hit counters and the show access-lists and show policy-map type control-plane commands
to evaluate CPU traffic.
• The Cisco NX-OS device hardware performs CoPP on a per-forwarding-engine basis. CoPP does not
support distributed policing. Therefore, you should choose rates so that the aggregate traffic does not
overwhelm the supervisor module.
• If multiple flows map to the same class, individual flow statistics will not be available.
• If you upgrade from a Cisco NX-OS release that supports the CoPP feature to a Cisco NX-OS release
that supports the CoPP feature with additional classes for new protocols, you must either run the setup
utility using the setup command or use the copp profile command for the new CoPP classes to be
available.
• Before you downgrade from a Cisco NX-OS release that supports the CoPP feature to an earlier Cisco
NX-OS release that supports the CoPP feature, you should verify compatibility using the show
incompatibility nxos bootflash:filename command. If an incompatibility exists, disable any features
that are incompatible with the downgrade image before downgrading the software.
• You cannot disable CoPP. If you attempt to disable it, packets are rate limited at 50 packets per seconds
[for releases prior to Cisco NX-OS Release 7.0(3)I2(1)], or an error message appears [starting with Cisco
NX-OS Release 7.0(3)I2(1)].
• Cisco Nexus 9200 Series switches support CoPP policer rates only in multiples of 10 kbps. If a rate is
configured that is not a multiple of 10 kbps, the rate is rounded down. For example, the switch will use
50 kbps if a rate of 55 kbps is configured. (The show policy-map type control-plane command shows
the user configured rate. See
• For Cisco Nexus 9200 Series switches, ip icmp redirect, ipv6 icmp redirect, ip icmp unreachable, ipv6
icmp unreachable, and mtu-failure use the same TCAM entry, and they will all be classified to the class
map where the first exception is present in the policy. In the CoPP strict profile, they are classified to
the class-exception class map. In a different CoPP policy, if the first exception is in a different class map
(for example, class-exception-diag), the rest of the exceptions will be classified to the same class map.
• The copp-system-class-fcoe class is not supported for Cisco Nexus 9200 Series switches.
• The following guidelines and limitations apply to static CoPP ACLs:
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
126
Verifying the CoPP Configuration, on page 135
◦ Only Cisco Nexus 9200 Series switches use static CoPP ACLs.
◦ Static CoPP ACLs can be remapped to a different CoPP class.
◦ Access control entries (ACEs) cannot be modified or removed for static CoPP ACLs.
◦ If a CoPP ACL has a static ACL substring, it will be mapped to that type of traffic. For example,
if the ACL includes the acl-mac-stp substring, STP traffic will be classified to the class map for
that ACL.
◦ Static CoPP ACLs take priority over dynamic CoPP ACLs, regardless of their position in the CoPP
policy, the order in which they are configured, and how they appear in the output of the show
policy-map type control-plane command.
◦ You must have static CoPP ACLs in the CoPP policy. Otherwise, the CoPP policy will be rejected.
Configuring Control Plane Policing
for more information.)