Configuring Control Plane Policing - Cisco Catalyst 4500 series Administration Manual
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring Control Plane Policing
Configuring Control Plane Policing
This section includes these topics:
•
•
•
•
•
•
•
About Control Plane Policing
Note
Catalyst 4500 switch support hardware CoPP for all IPv6 First Hop Security Features (DHCPv6
Inspection/Guard, DHCPv6 remote-ID option for Layer 2, IPv6 full RA Guard, ...) However, due to
inability of VFE to match ICMP v6 packets for policing in the outward direction, hardware CoPP does
not work on Supervisor 6-E, Supervisor 6L-E, Catalyst 4900M, and Catalyst 4948-E
The control plane policing (CoPP) feature increases security on the Catalyst 4500 series switch by
protecting the CPU from unnecessary or DoS traffic and giving priority to important control plane and
management traffic. The classification TCAM and QoS policers provide CoPP hardware support.
Traffic managed by the CPU is divided into three functional components or planes:
•
•
•
You can use CoPP to protect most of CPU-bound traffic and to ensure routing stability, reachability, and
packet delivery. Most importantly, you can use CoPP to protect the CPU from a DoS attack.
By default, you receive a list of predefined ACLs matching a selected set of Layer 2 and Layer 3 control
plane packets. You can further define your preferred policing parameters for each of these packets and
modify the matching criteria of these ACLs.
The following table lists the predefined ACLs.
Predefined Named ACL
system-cpp-dot1x
system-cpp-lldp
system-cpp-mcast-cfm
system-cpp-ucast-cfm
system-cpp-bpdu-range
system-cpp-cdp
system-cpp-sstp
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
51-2
About Control Plane Policing, page 51-2
General Guidelines for Control Plane Policing, page 51-3
Default Configuration, page 51-4
Configuring CoPP for Control Plane Traffic, page 51-4
Configuring CoPP for Data Plane and Management Plane Traffic, page 51-5
Control Plane Policing Configuration Guidelines and Restrictions, page 51-8
Policing IPv6 Control Traffic, page 51-16
Data plane
Management plane
Control plane
Chapter 51
Configuring Control Plane Policing and Layer 2 Control Packet QoS
Description
MAC DA = 0180.C200.0003
MAC DA = 0180.C200.000E
MAC DA = 0100.0CCC.CCC0 - 0100.0CCC.CCC7
MAC DA = 0100.0CCC.CCC0
MAC DA = 0180.C200.0000 - 0180.C200.000F
MAC DA = 0100.0CCC.CCCC (UDLD/DTP/VTP/Pagp)
MAC DA = 0100.0CCC.CCCD
OL_28731-01
Advertisement
Chapters
Table of Contents
Troubleshooting
