Configuring Control Plane Policing

Restrictions for Control Plane Policing

The following restrictions apply while Configuring Control Plane Policing:
  • Only six among the following protocols can be configured simultaneously: rip , ospf-v6 , eigrp-v6 , rip-v6 , dhcp-snoop-client-to-server , dhcp-snoop-server-to-client , ndp-router-solicitation , ndp-router-advertisement , ndp-redirect , dhcpv6-client-to-server , dhcpv6-server-to-client , igrp .

  • For ospf , eigrp and ripv2 protocols, control packets which are destined to multicast Mac of the router are policed along with the "reserve-multicast-group " option.

Control Plane Policing

Configure the Control Plane Policing (CoPP) feature on a predefined set of protocols to control the flow of traffic coming to the CPU. The CoPP allows you to set a rate limit on specific protocol packets. These packets are policed, and the packets that conform to the defined rate limit are permitted into the CPU. COPP protects the packets from being routed to the CPU at an undesired rate that might impact the performance of a switch and the network. In addition, the CoPP protects the CPU from denial of service (DoS) attacks and ensures routing stability, reachability, and packet delivery. You can use Multi-Layer Switching QoS CLI to set the rate limit and policing parameters on a specific protocol.


Note


CoPP is supported only on LAN BASE, IP Lite, and IP Service licenses.


Configuring Control Plane Policing

Configure the Control Plane Policing (CoPP) feature on a predefined set of protocols to control the flow of traffic coming into the CPU.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. mls qos copp protocol { autorp-announce | autorp-discovery | bgp | cdp | cgmp | dai | dhcp-snoop-client-to-server | dhcp-snoop-server-to-client | dhcpv6-client-to-server | dhcpv6-server-to-client | eigrp | eigrp-v6 | energy-wise | igmp-gs-query | igmp-leave | igmp-query | igmp-report | igrp | ipv6-pimv2 | lldp | mld-gs-query | mld-leave | mld-query | mld-report | ndp-redirect | ndp-router-advertisement | ndp-router-solicitation | ospf | ospf-v6 | pimv1 | pxe | rep-hfl | reserve-multicast-group | rip | rip-v6 | rsvp-snoop | stp } police {pps | bps} police rate
  4. end
  5. show mls qos copp protocols
  6. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Switch> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 3

mls qos copp protocol { autorp-announce | autorp-discovery | bgp | cdp | cgmp | dai | dhcp-snoop-client-to-server | dhcp-snoop-server-to-client | dhcpv6-client-to-server | dhcpv6-server-to-client | eigrp | eigrp-v6 | energy-wise | igmp-gs-query | igmp-leave | igmp-query | igmp-report | igrp | ipv6-pimv2 | lldp | mld-gs-query | mld-leave | mld-query | mld-report | ndp-redirect | ndp-router-advertisement | ndp-router-solicitation | ospf | ospf-v6 | pimv1 | pxe | rep-hfl | reserve-multicast-group | rip | rip-v6 | rsvp-snoop | stp } police {pps | bps} police rate

Example:


Switch (config)# mls qos copp protocol cdp police bps 10000

Switch(config)# mls qos copp protocol cdp police pps 500

Configures a packet policer for the specified protocol.

For more details about the various parameters, please refer Consolidated Platform Command Reference, Cisco IOS Release 15.2(4)E .

Step 4

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.

Step 5

show mls qos copp protocols

Example:


Switch# show mls qos copp protocols

Displays the CoPP parameters and counters for all the configured protocol.

Step 6

copy running-config startup-config

Example:


Switch# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

What to do next

To clear the CoPP statistics, use the clear copp counters command.

Examples: Configuring CoPP

The following example shows how to enable Control Plane Policing (CoPP) for a specific protocol:

Switch (config)# mls qos copp protocol cdp police bps ?
  <8000-2000000000> Bits per second (postfix k, m, g optional; decimal point allowed)
Switch (config)# mls qos copp protocol cdp police bps 10000
Switch(config)# mls qos copp protocol cdp police pps ?
  <100-100000> Packet per second
Switch(config)# mls qos copp protocol cdp police pps 500

The following example shows the CoPP parameters and counters for all the configured protocol:

Switch# show running-config | inc copp
Switch#show running-config | inc copp
mls qos copp protocol rep-hfl police pps 5600
mls qos copp protocol lldp police bps 908900
mls qos copp protocol cdp police pps 3434

/* Copp detailed output */
Switch#show mls qos copp protocols
-------------------------------------------------------------------------------
Protocol                     Mode       PolicerRate         PolicerBurst
InProfilePackets    OutProfilePackets   InProfileBytes      OutProfileBytes
-------------------------------------------------------------------------------
rep-hfl                      pps        5600                5600
0                   0                   0                   0

lldp                         bps        908900              908900
0                   0                   0                   0

cdp                          pps        3434                3434
45172               0                   2891008             0