Filter
Top Products
44-3
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 44 Configuring Control Plane Policing and Layer 2 Control Packet QoS
Configuring Control Plane Policing
For the data and management plane traffic, you can define your own ACLs to match the traffic class that
you want to police.
CoPP uses MQC to define traffic classification criteria and to specify the configurable policy actions for
the classified traffic. MQC uses class maps to define packets for a particular traffic class. After you have
classified the traffic, you can create policy maps to enforce policy actions for the identified traffic. The
control-plane global configuration command allows you to directly attach a CoPP service policy to the
control plane.
The only policy map that you can attach to the control plane is system-cpp-policy. (Catalyst 4900M,
Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E do not have this restriction.) This
policy map must contain the predefined class maps in the predefined order at the beginning of the policy
map. The best way to create system-cpp-policy policy map is by using the global macro system-cpp.
The system-cpp-policy policy map contains the predefined class maps for the control plane traffic. The
names of all system-defined CoPP class maps and their matching ACLs contain the prefix system-cpp-.
By default, no action is specified for each traffic class. You can define your own class maps matching
CPU-bound data plane and management plane traffic. You can also add your defined class maps to
system-cpp-policy.
General Guidelines for Control Plane Policing
Guidelines for control plane policing include the following:
• Port security might cancel the effect of CoPP for non-IP control packets.
Although source MAC learning on a Catalyst 4500 series switch is performed in software, learning
control packets’ source MAC addresses (for example, IEEE BPDU, CDP, SSTP BPDU, GARP/) is
not alllowed. Once you configure port security on a port where you expect anticipate a high rate of
potentially unanticipated control packets, the system generates a copy of the packet to the CPU
(until the source address is learned), instead of forward it.
The current architecture of the Catalyst 4500 supervisor engine does not allow you to apply policing
on the copy of packets sent to the CPU. You can only apply policing on packets that are forwarded
to the CPU. Copies of packets are sent to the CPU at the same rate as control packets, and port
security is not triggered because learning from control packets is not allowed. Policing is not applied
because the packet copy, not the original, is sent to the CPU.
system-cpp-igmp IP Protocol = IGMP, IP DA matches 224.0.0.0/3
system-cpp-pim IP Protocol = PIM, IP DA matches 224.0.0.0/24
system-cpp-all-systems-on-subnet IP DA = 224.0.0.1
system-cpp-all-routers-on-subnet IP DA = 224.0.0.2
system-cpp-ripv2 IP DA = 224.0.0.9
system-cpp-ip-mcast-linklocal IP DA = 224.0.0.0/24
system-cpp-dhcp-cs IP Protocol = UDP, L4SrcPort = 68, L4DstPort = 67
system-cpp-dhcp-sc IP Protocol = UDP, L4SrcPort = 67, L4DstPort = 68
system-cpp-dhcp-ss IP Protocol = UDP, L4SrcPort = 67, L4DstPort = 67
Predefined Named ACL Description