Configuring Copp - Cisco 7604 Configuration Manual

Chapter 36 Configuring Denial of Service Protection
•
•
•
•
•
•
•
•
•
•
•
•
•

Configuring CoPP

CoPP uses MQC to define traffic classification criteria and to specify the configurable policy actions for
the classified traffic. You must first identify the traffic to be classified by defining a class map. The class
map defines packets for a particular traffic class. After you have classified the traffic, you can create
policy maps to enforce policy actions for the identified traffic. The control-plane global configuration
command allows the CoPP service policies to be directly attached to the control plane.
For information on how to define the traffic classification criteria, refer to the
Classification" section on page
OL-4266-08
With PFC3A, egress QoS and CoPP cannot be configured at the same time. In this situation, CoPP
is performed in the software. A warning message is displayed to inform you that egress QoS and
CoPP cannot be configured at the same time.
If you have a large QoS configuration, the system may run out of TCAM space. If this is the case,
CoPP may be performed in software.
When there is a large QoS configuration for other interfaces, you can run out of TCAM space. When
this situation occurs, CoPP may be performed entirely in software and result in performance
degradation and CPU cycle consumption.
You must ensure that the CoPP policy does not filter critical traffic such as routing protocols or
interactive access to the routers. Filtering this traffic could prevent remote access to the router,
requiring a console connection.
PFC3 supports built-in special-case rate limiters, which are useful for situations where an ACL
cannot be used (for example, TTL, MTU, and IP options). When you enable the special-case rate
limiters, you should be aware that the special-case rate limiters will override the CoPP policy for
packets matching the rate-limiter criteria.
CoPP is not enabled in hardware unless MMLS QoS is enabled globally with the mls qos command.
If the mls qos command is not entered, CoPP will only work in software and will not provide any
benefit to the hardware.
Neither egress CoPP nor silent mode is supported. CoPP is only supported on ingress (service-policy
output CoPP cannot be applied to the control plane interface).
ACE hit counters in hardware are only for ACL logic. You can rely on software ACE hit counters
and the show access-list, show policy-map control-plane, and show mls ip qos commands to
troubleshoot evaluate CPU traffic.
CoPP is performed on a per-forwarding-engine basis and software CoPP is performed on an
aggregate basis.
CoPP is not supported in hardware for multicast packets. The combination of ACLs, multicast CPU
rate limiters and CoPP software protection provides protection against multicast DoS attacks.
CoPP does not support ACEs with the log keyword.
CoPP uses hardware QoS TCAM resources. Enter the show tcam utilization command to verify the
TCAM utilization.
CoPP does not support MAC ACLs.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
36-32.
Configuring CoPP
"Defining Traffic
36-29