Support User Manuals

Cisco Systems 4500 Switch User Manual

Open as PDF

of 1504

44-2

Software Configuration Guide—Release 15.0(2)SG

OL-23818-01

Chapter 44 Configuring Control Plane Policing and Layer 2 Control Packet QoS

Configuring Control Plane Policing

• General Guidelines for Control Plane Policing, page 44-3

• Default Configuration, page 44-4

• Configuring CoPP for Control Plane Traffic, page 44-4

• Configuring CoPP for Data Plane and Management Plane Traffic, page 44-6

• Control Plane Policing Configuration Guidelines and Restrictions, page 44-8

• Policing IPv6 Control Traffic, page 44-17

About Control Plane Policing

The control plane policing (CoPP) feature increases security on the Catalyst 4500 series switch by

protecting the CPU from unnecessary or DoS traffic and giving priority to important control plane and

management traffic. The classification TCAM and QoS policers provide CoPP hardware support.

Note CoPP is supported on the following: Classic Series supervisor engines and switches beginning with

Cisco IOS Release 12.2(31)SG; Supervisor 6-E and Catalyst 4900M beginning with Cisco IOS Release

12.2(50)SG; Supervisor 6L-E in Cisco IOS Release 12.2(52)X0; and Catalyst 4948-E beginning with

Cisco IOS Release 12.2(54)X0.

Traffic managed by the CPU is divided into three functional components or planes:

• Data plane

• Management plane

• Control plane

You can use CoPP to protect most of CPU-bound traffic and to ensure routing stability, reachability, and

packet delivery. Most importantly, you can use CoPP to protect the CPU from a DoS attack.

By default, you receive a list of predefined ACLs matching a selected set of Layer 2 and Layer 3 control

plane packets. Although you can further define your preferred policing parameters for each of these

packets, you cannot modify the matching criteria of these ACLs. (Catalyst 4900M, Catalyst 4948E,

Supervisor Engine 6-E, and Supervisor Engine 6L-E do not have this restriction.)

The following table lists the predefined ACLs.

Predefined Named ACL Description

system-cpp-dot1x MAC DA = 0180.C200.0003

system-cpp-lldp MAC DA = 0180.C200.000E

system-cpp-mcast-cfm MAC DA = 0100.0CCC.CCC0 - 0100.0CCC.CCC7

system-cpp-ucast-cfm MAC DA = 0100.0CCC.CCC0

system-cpp-bpdu-range MAC DA = 0180.C200.0000 - 0180.C200.000F

system-cpp-cdp MAC DA = 0100.0CCC.CCCC (UDLD/DTP/VTP/Pagp)

system-cpp-sstp MAC DA = 0100.0CCC.CCCD

system-cpp-cgmp MAC DA = 01.00.0C.DD.DD.DD

system-cpp-hsrpv2 IP Protocol = UDP, IPDA = 224.0.0.102

system-cpp-ospf IP Protocol = OSPF, IP DA matches 224.0.0.0/24

previous next