General Guidelines For Control Plane Policing - Cisco Catalyst 4500 series Administration Manual

Chapter 51 Configuring Control Plane Policing and Layer 2 Control Packet QoS
Predefined Named ACL
system-cpp-cgmp
system-cpp-hsrpv2
system-cpp-ospf
system-cpp-igmp
system-cpp-pim
system-cpp-all-systems-on-subnet
system-cpp-all-routers-on-subnet
system-cpp-ripv2
system-cpp-ip-mcast-linklocal
system-cpp-dhcp-cs
system-cpp-dhcp-sc
system-cpp-dhcp-ss
For the data and management plane traffic, you can define your own ACLs to match the traffic class that
you want to police.
CoPP uses MQC to define traffic classification criteria and to specify the configurable policy actions for
the classified traffic. MQC uses class maps to define packets for a particular traffic class. After you have
classified the traffic, you can create policy maps to enforce policy actions for the identified traffic. The
control-plane global configuration command allows you to directly attach a CoPP service policy to the
control plane.
The policy map system-cpp-policy must contain the predefined class maps in the predefined order at the
beginning of the policy map. The best way to create system-cpp-policy policy map is by using the global
macro system-cpp.
The system-cpp-policy policy map contains the predefined class maps for the control plane traffic. The
names of all system-defined CoPP class maps and their matching ACLs contain the prefix system-cpp-.
By default, no action is specified for each traffic class. You can define your own class maps matching
CPU-bound data plane and management plane traffic. You can also add your defined class maps to
system-cpp-policy.

General Guidelines for Control Plane Policing

Guidelines for control plane policing include the following:
•
OL_28731-01
Port security might cancel the effect of CoPP for non-IP control packets.
Although source MAC learning on a Catalyst 4500 series switch is performed in software, learning
control packets' source MAC addresses (for example, IEEE BPDU, CDP, SSTP BPDU, GARP/) is
not allowed. Once you configure port security on a port where you expect a high rate of potentially
unanticipated control packets, the system generates a copy of the packet to the CPU (until the source
address is learned), instead of forward it.
The current architecture of the Catalyst 4500 supervisor engine does not allow you to apply policing
on the copy of packets sent to the CPU. You can only apply policing on packets that are forwarded
to the CPU. Copies of packets are sent to the CPU at the same rate as control packets, and port
security is not triggered because learning from control packets is not allowed. Policing is not applied
because the packet copy, not the original, is sent to the CPU.
Description
MAC DA = 01.00.0C.DD.DD.DD
IP Protocol = UDP, IPDA = 224.0.0.102
IP Protocol = OSPF, IP DA matches 224.0.0.0/24
IP Protocol = IGMP, IP DA matches 224.0.0.0/3
IP Protocol = PIM, IP DA matches 224.0.0.0/24
IP DA = 224.0.0.1
IP DA = 224.0.0.2
IP DA = 224.0.0.9
IP DA = 224.0.0.0/24
IP Protocol = UDP, L4SrcPort = 68, L4DstPort = 67
IP Protocol = UDP, L4SrcPort = 67, L4DstPort = 68
IP Protocol = UDP, L4SrcPort = 67, L4DstPort = 67
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
Configuring Control Plane Policing
51-3