Licensing Requirements For Copp; Guidelines And Limitations For Copp - Cisco Nexus 3600 NX-OS Security Configuration Manual

Configuring Control Plane Policing
Related Topics

Licensing Requirements for CoPP

The following table shows the licensing requirements for this feature:
Product
Cisco NX-OS

Guidelines and Limitations for CoPP

CoPP has the following configuration guidelines and limitations:
• We recommend that you use the strict default CoPP policy initially and then later modify the CoPP
• Customizing CoPP is an ongoing process. CoPP must be configured according to the protocols and
• We recommend that you continuously monitor CoPP. If drops occur, determine if CoPP dropped traffic
• All the traffic that you do not specify in the other class maps is put into the last class, the default class.
• All broadcast traffic is sent through CoPP logic in order to determine which packets (for example, ARP
• After you have configured CoPP, delete anything that is not being used, such as old class maps and
• You must ensure that the CoPP policy does not filter critical traffic such as routing protocols or interactive
• The Cisco NX-OS software does not support egress CoPP or silent mode. CoPP is supported only on
policies based on the data center and application requirements.
features used in your specific environment as well as the supervisor features that are required by the
server environment. As these protocols and features change, CoPP must be modified.
unintentionally or in response to a malfunction or attack. In either event, analyze the situation and
evaluate the need to modify the CoPP policies.
Monitor the drops in this class and investigate if these drops are based on traffic that you do not want
or the result of a feature that was not configured and you need to add.
and DHCP) need to be redirected through an access control list (ACL) to the router processor. Broadcast
traffic that does not need to be redirected is matched against the CoPP logic, and both conforming and
violated packets are counted in the hardware but not sent to the CPU. Broadcast traffic that needs to be
sent to the CPU and broadcast traffic that does not need to be sent to the CPU must be separated into
different classes.
unused routing protocols.
access to the device. Filtering this traffic could prevent remote access to the Cisco NX-OS device and
require a console connection.
ingress (you cannot use the service-policy output copp command to the control plane interface).
License Requirement
CoPP requires no license. Any feature not included
in a license package is bundled with the nx-os image
and is provided at no extra charge to you. For an
explanation of the Cisco NX-OS licensing scheme,
see the Cisco NX-OS Licensing Guide.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x

Licensing Requirements for CoPP

125