Control Plane Policing (Copp) - Cisco Catalyst 6500-E Series Manual

In Figure 16, every subinterface on every switch carrying the VRF-Lite VPNs must be manually configured, so as
the number of VRFs grows, the interface configuration becomes harder to work with and more prone to errors. An
infrastructure with 6 nodes and 20 VRFs would require 6 main interface and 120 subinterface configurations.
In Figure 17 the benefits of the VNET trunk can be plainly seen in the massive reduction and simplicity of the
interface configuration. When the trunk between the switches is established as a VNET trunk, all VRFs configured
with the vnet tag command are automatically sent over the trunk. The only configuration steps a network
administrator has to undertake are for the VNET trunk interface itself and the VNET tag assignment within the VRF
definition. The network with 6 nodes and 20 VRFs would require only 6 main interface configurations, making it
much easier to deploy and manage.
In addition to the VNET trunk capability, EVN introduces two other functions that ease the support and deployment
of both MPLS VPNs and VRF-Lite. The first is the creation of a routing context that allows the network
administrator to use the routing-context <vrf name> command to create a context in which exec-level commands
(show, ping, traceroute, and so on) can be executed with adding the VRF name every time. The second is the
ability to share services between VRFs using route leaking without the need for BGP, import/export statements,
route descriptors, and route targets such as are needed without this new capability.

Control Plane Policing (CoPP)

The most vulnerable part of any switching infrastructure is the CPU, or control plane, which manages the
hardware and maintains the Layer 2 and Layer 3 topologies. The CPU is usually not capable of operating at the
speeds required of today's switched networks, so network vendors have created higher performance application-
specific integrated circuits (ASICs) to provide required features at speeds of tens of millions of packets per
second. However, certain types of traffic still require CPU processing, and this traffic can potentially be sent to the
CPU at ASIC speeds. Therefore, a mechanism must be put into place to protect the CPU from being overrun by
traffic that it must process but that could be sent at a rate much higher than it can process.
The Cisco Catalyst 6500-E with Supervisor Engine 2T supports hardware-based CoPP, which increases security
by protecting the CPU from unnecessary or denial-of-service (DoS) traffic and by giving priority to important
control plane and management traffic. CoPP uses a dedicated control plane configuration through the modular
quality-of-service (QoS) CLI (MQC) to provide filtering and rate-limiting capabilities, enforced by the PFC4 and
DFC4, for the control plane packets. Figure 18 shows the operation of CoPP with the Supervisor Engine 2T.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 28