CHAPTER 23
Configuring Control Plane Policing
This chapter contains the following sections:
• About CoPP, on page 453
• Licensing Requirements for CoPP, on page 470
• Guidelines and Limitations for CoPP, on page 470
• Default Settings for CoPP, on page 472
• Configuring CoPP, on page 473
• Protocol ACL Filtering, on page 481
• Verifying the CoPP Configuration, on page 486
• Displaying the CoPP Configuration Status, on page 488
• Monitoring CoPP, on page 488
• Clearing the CoPP Statistics, on page 489
• Configuration Examples for CoPP, on page 489
• Additional References for CoPP, on page 491
About CoPP
Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, which ensures
network stability, reachability, and packet delivery.
This feature allows a policy map to be applied to the control plane. This policy map looks like a normal QoS
policy and is applied to all traffic entering the switch from a non-management port. A common attack vector
for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device
interfaces.
The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks,
which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined
to the supervisor module or CPU itself.
The supervisor module divides the traffic that it manages into three functional components or planes:
Data plane
Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from
one interface to another. The packets that are not meant for the switch itself are called the transit packets.
These packets are handled by the data plane.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
453
To Next Page
Loading...
