[Cisco] | Control Plane Policing (CoPP) [Explained]

Dataplane vs control plane:

Data plane: Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.

Control plane: Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.

Control Plane Policing (CoPP)

Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, which ensures network stability, reachability, and packet delivery.

This feature allows a policy map to be applied to the control plane. This policy-map looks like a normal QoS policy and is applied to all traffic entering the switch from a non-management port. A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device interfaces.

The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module or CPU itself.

Check Copp status:

R1# sh copp status

Last Config Operation: None

Last Config Operation Timestamp: None

Last Config Operation Status: None

Policy-map attached to the control-plane: copp-system-p-policy-strict

Packet drop causes:

1/ show hardware rate-limit command to determine if packets are being dropped because of a rate limit.

switch(config)# show hardware rate-limit module 1

Units for Config: packets per second

Allowed, Dropped & Total: aggregated since last clear counters

Rate Limiter Class Parameters

————————————————————

access-list-log Config : 100

Allowed : 0

Dropped : 0

Total : 0

2/ show policy-map interface control-plane command to determine if packets are being dropped because of CoPP.

switch# show policy-map interface control-plane

class-map copp-system-p-class-exception (match-any)

match exception ip option

match exception ip icmp unreachable

match exception ttl-failure

match exception ipv6 option

match exception ipv6 icmp unreachable

match exception mtu-failure

set cos 1

police cir 200 pps , bc 32 packets

module 27 :

transmitted 0 packets;

dropped 0 packets;

module 28 :

transmitted 0 packets;

dropped 0 packets;

References:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_010001.html

bilel949401

bilel949401

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Learn Duty
0
Would love your thoughts, please comment.x
()
x