Configuring Control Plane Policing

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for CoPP

Restrictions for control plane policing (CoPP) include the following:

  • Only ingress CoPP is supported. The system-cpp-policy policy-map is available on the control place interface, only in the ingress direction. 


  • Only the system-cpp-policy policy-map can be installed on the control plane interface.

  • The system-cpp-policy policy-map and the seventeen system-defined classes cannot be modified or deleted.

  • Only the police action is allowed under the system-cpp-policy policy-map. Further, the police rate can be configured only in packets per second (pps).

  • One or more CPU queues are part of each class-map. Where multiple CPU queues belong to one class-map, changing the policer rate of a class-map affects all CPU queues that belong to that class-map. Similarly, disabling a class-map disables all queues that belong to that class-map. See Table 1 for information about which CPU queues belong to each class-map.

Information About Control Plane Policing

This chapter describes how control plane policing (CoPP) works on your device and how to configure it.

CoPP Overview

The CoPP feature improves security on your device by protecting the CPU from unnecessary traffic, or DoS traffic, and by prioritizing control plane and management traffic.

Your device is typically segmented into three planes of operation, each with its own objective:

  • The data plane, to forward data packets.

  • The control plane, to route data correctly.

  • The management plane, to manage network elements.

You can use CoPP to protect most of the CPU-bound traffic and ensure routing stability, reachability, and packet delivery. Most importantly, you can use CoPP to protect the CPU from a DoS attack.

CoPP uses the modular QoS command-line interface (MQC) and CPU queues to achieve these objectives. Different types of control plane traffic are grouped together based on certain criteria, and assigned to a CPU queue. You can manage these CPU queues by configuring dedicated policers in hardware. For example, you can modify the policer rate for certain CPU queues (traffic-type), or you can disable the policer for a certain type of traffic.

Although the policers are configured in hardware, CoPP does not affect CPU performance or the performance of the data plane. But since it limits the number of packets going to CPU, the CPU load is controlled. This means that services waiting for packets from hardware may see a more controlled rate of incoming packets (the rate being user-configurable).

System-Defined Aspects of CoPP

When you power-up the device for the first time, the system automatically performs the following tasks:
  • It looks for policy-map system-cpp-policy . If it does not detect this policy-map, it creates and installs it on the control-plane.

  • It creates seventeen class-maps under system-cpp-policy .

    The next time you power-up the device, the system detects the policy and class maps that have already been created.

  • Once the policy is installed, sixteen (out of the thirty-two) CPU queues are enabled by default with their respective default rate. The CPU queues enabled by default and their default rates are indicated in Table 1.

The following table lists the class-maps that the system creates when you load the device. It lists the policer that corresponds to each class-map and one or more CPU queues that are grouped under each class-map. There is a one-to-one mapping of class-maps to policers; and one or more CPU queues map to a class-map.
Table 1. System-Defined Values for CoPP

Class Maps Names

Policer Index (Policer No.)

CPU queues (Queue No.)

CPU Queues Enabled by Default?

Default Policer Rate—in packets per second (pps)

system-cpp-police-data

WK_CPP_POLICE_DA TA(0)

WK_CPU_Q_ICMP_GEN(3)

WK_CPU_Q_BROADCAST(12)

Yes

200

system-cpp-police-l2- control

WK_CPP_POLICE_L2_ CONTROL(1)

WK_CPU_Q_L2_CONTROL(1)

No

500

system-cpp-police-routing-control

WK_CPP_POLICE_ROUTING_CONTROL(2)

WK_CPU_Q_ROUTING_CONTROL(4)

Yes

500

system-cpp-police-control-low-priority

WK_CPP_POLICE_CO NTROL_LOW_PRI(3)

WK_CPU_Q_ICMP_REDIRECT(6)

WK_CPU_Q_GENERAL_PUNT(25)

No

500

system-cpp-police- wireless-priority1

WK_CPP_POLICE_WI RELESS_PRIO_1(4)

WK_CPU_Q_WIRELESS_PRIO_1(8)

No

1000

system-cpp-police- wireless-priority2

WK_CPP_POLICE_WI RELESS_PRIO_2(5)

WK_CPU_Q_WIRELESS_PRIO_2(9)

No

1000

system-cpp-police- wireless-priority3-4-5

WK_CPP_POLICE_WI RELESS_PRIO_3(6)

WK_CPU_Q_WIRELESS_PRIO_3(10)

WK_CPU_Q_WIRELESS_PRIO_4(11)

WK_CPU_Q_WIRELESS_PRIO_5(7)

No

1000

system-cpp-police-punt-webauth

WK_CPP_POLICE_PU NT_WEBAUTH(7)

WK_CPU_Q_PUNT_WEBAUTH(22)

No

1000

system-cpp-police- topology-control

WK_CPP_POLICE_TOPOLOGY_CONTROL(8)

WK_CPU_Q_TOPOLOGY_CONTROL(15)

No

13000

system-cpp-police- multicast

WK_CPP_POLICE_MULTICAST(9)

WK_CPU_Q_TRANSIT_TRAFFIC(18)

WK_CPU_Q_MCAST_DATA(30)

Yes

500

system-cpp-police-sys- data

WK_CPP_POLICE_SYS _DATA (10)

WK_CPU_Q_LEARNING_CACHE_OVFL(13)

WK_CPU_Q_CRYPTO_CONTROL(23)

WK_CPU_Q_EXCEPTION(24)

WK_CPU_Q_EGR_EXCEPTION(28)

WK_CPU_Q_NFL_SAMPLED_DATA(26)

WK_CPU_Q_GOLD_PKT(31)

WK_CPU_Q_RPF_FAILED(19)

Yes

100

system-cpp-police-dot1x-auth

WK_CPP_POLICE_DOT1X(11)

WK_CPU_Q_DOT1X_AUTH(0)

No

1000

system-cpp-police- protocol-snooping

WK_CPP_POLICE_PR

WK_CPU_Q_PROTO_SNOOPING(16)

No

500

system-cpp-police-sw- forward

WK_CPP_POLICE_SW_FWD (13)

WK_CPU_Q_SW_FORW ARDING_Q(14)

WK_CPU_Q_SGT_CACHE_FULL(27)

WK_CPU_Q_LOGGING(21)

Yes

1000

system-cpp-police-forus

WK_CPP_POLICE_FORUS(14)

WK_CPU_Q_FORUS_ADDR_RESOLUTION(5)

WK_CPU_Q_FORUS_TRAFFIC(2)

No

1000

system-cpp-police- multicast-end-station

WK_CPP_POLICE_MULTICAST_SNOOPING(15)

WK_CPU_Q_MCAST_END_STA TION_SERVICE(20)

Yes

2000

system-cpp-default

WK_CPP_POLICE_DEFAULT_POLICER

WK_CPU_Q_DHCP_SNOOPING

WK_CPU_Q_SHOW_FORWARD

No

1000

User-Configurable Aspects of CoPP

You can perform these tasks to manage control plane traffic:
  • Enable or disable CPU queues.

    Enable a CPU queue, by configuring a policer action (in packets per second) under the corresponding class-map, within the system-cpp-policy policy-map.

    Disable a CPU queue, by removing the policer action under the corresponding class-map, within the system-cpp-policy policy-map.

  • Change the policer rate, by configuring a policer rate action (in packets per second) under the corresponding class-map, within the system-cpp-policy policy-map.

  • Set the CPU queues to their default values, by entering the cpp system-default command in global configuration mode.

How to Configure CoPP

Enabling a CPU Queue or Changing the Policer Rate

The procedure to enable a CPU queue and change the policer rate of a CPU queue is the same. Follow these steps:

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 3

policy-map policy-map-name

Example:


Device(config)# policy-map system-cpp-policy
Device(config-pmap)#

Enters the policy map configuration mode.

Step 4

class class-name

Example:


Device(config-pmap)# class system-cpp-police-protocol-snooping
Device(config-pmap-c)#

Enters the class action configuration mode. Enter the name of the class that corresponds to the CPU queue you want to enable. See Table 1

Step 5

police rate rate pps

Example:


Device(config-pmap-c)# police rate 100 pps

Specifies an upper limit on the number of incoming packets processed per second, for the specified traffic class.

Note 
The rate you specify is applied to all CPU queues that belong to the class-map you have specified.
Step 6

end

Example:


Device(config-pmap-c)# end

Returns to the privileged EXEC mode.

Step 7

show running-config | begin system-cpp-policy

Example:


Device# show running-config | begin system-cpp-policy

Displays the rates configured for the various traffic types.

Disabling a CPU Queue

Follow these steps to disable a CPU queue:

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 3

policy-map policy-map-name

Example:


Device(config)# policy-map system-cpp-policy
Device(config-pmap)#

Enters the policy map configuration mode.

Step 4

class class-name

Example:


Device(config-pmap)# class system-cpp-police-protocol-snooping
Device(config-pmap-c)#

Enters the class action configuration mode. Enter the name of the class that corresponds to the CPU queue you want to disable. See Table 1

Step 5

no police rate rate pps

Example:


Device(config-pmap-c)# no police rate 100 pps

Disables incoming packet processing for the specified traffic class.

Note 
This disables all CPU queues that belong to the class-map you have specified.
Step 6

end

Example:


Device(config-pmap-c)# end

Returns to the privileged EXEC mode.

Step 7

show running-config | begin system-cpp-policy

Example:


Device# show running-config | begin system-cpp-policy

Displays the rates configures for the various traffic types.

Setting the Default Policer Rates for All CPU Queues

Follow these steps to set the policer rates for all CPU queues to their default rates:

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 3

cpp system-default

Example:


Device(config)# cpp system-default
Defaulting CPP : Policer rate for all classes will be set to their defaults

Sets the policer rates for all the classes to the default rate.

Step 4

end

Example:


Device(config)# end

Returns to the privileged EXEC mode.

Step 5

show platform hardware fed switch switch-number qos que stat internal cpu policer

Example:


Device# show platform hardware fed switch 1 qos que stat internal cpu policer

Displays the rates configured for the various traffic types.

Examples for Configuring CoPP

Example: Enabling a CPU Queue or Changing the Policer Rate of a CPU Queue

This example shows how to enable a CPU queue or to change the policer rate of a CPU queue. Here the class system-cpp-police-protocol-snooping CPU queue is enabled with the policer rate of 100 pps .


Device> enable
Device# configure terminal
Device(config)# policy-map system-cpp-policy
Device(config-pmap)# class system-cpp-police-protocol-snooping
Device(config-pmap-c)# police rate 100 pps
Device(config-pmap-c)# end


Device# show running-config | begin system-cpp-policy

policy-map system-cpp-policy
 class system-cpp-police-data
  police rate 200 pps
 class system-cpp-police-sys-data
  police rate 100 pps
 class system-cpp-police-sw-forward
  police rate 1000 pps
 class system-cpp-police-multicast
  police rate 500 pps
 class system-cpp-police-multicast-end-station
  police rate 2000 pps
 class system-cpp-police-punt-webauth
 class system-cpp-police-l2-control
 class system-cpp-police-routing-control
  police rate 500 pps
 class system-cpp-police-control-low-priority
 class system-cpp-police-wireless-priority1
 class system-cpp-police-wireless-priority2
 class system-cpp-police-wireless-priority3-4-5
 class system-cpp-police-topology-control
 class system-cpp-police-dot1x-auth
 class system-cpp-police-protocol-snooping
  police rate 100 pps
 class system-cpp-police-forus
 class system-cpp-default

<output truncated>

Example: Disabling a CPU Queue

This example shows how to disable a CPU queue. Here the class system-cpp-police-protocol-snooping CPU queue is disabled.


Device> enable
Device# configure terminal
Device(config)# policy-map system-cpp-policy
Device(config-pmap)# class system-cpp-police-protocol-snooping
Device(config-pmap-c)# no police rate 100 pps
Device(config-pmap-c)# end


Device# show running-config | begin system-cpp-policy

policy-map system-cpp-policy
 class system-cpp-police-data
  police rate 200 pps
 class system-cpp-police-sys-data
  police rate 100 pps
 class system-cpp-police-sw-forward
  police rate 1000 pps
 class system-cpp-police-multicast
  police rate 500 pps
 class system-cpp-police-multicast-end-station
  police rate 2000 pps
 class system-cpp-police-punt-webauth
 class system-cpp-police-l2-control
 class system-cpp-police-routing-control
  police rate 500 pps
 class system-cpp-police-control-low-priority
 class system-cpp-police-wireless-priority1
 class system-cpp-police-wireless-priority2
 class system-cpp-police-wireless-priority3-4-5
 class system-cpp-police-topology-control
 class system-cpp-police-dot1x-auth
 class system-cpp-police-protocol-snooping
 class system-cpp-police-forus
 class system-cpp-default

<output truncated>

Example: Setting the Default Policer Rates for All CPU Queues

This example shows how to set the policer rates for all CPU queues to their default and then verify the setting:


Device> enable
Device# configure terminal
Device(config)# cpp system-default
Defaulting CPP : Policer rate for all classes will be set to their defaults
Device(config)# end


Device# show platform hardware fed switch 1 qos queue stats internal cpu policer

                                              (default)  (set)      
QId PlcIdx  Queue Name                Enabled   Rate     Rate      Drop
------------------------------------------------------------------------
0    11     DOT1X Auth                  No      1000      1000        0
1    1      L2 Control                  No      500       500         0
2    14     Forus traffic               No      1000      1000        0
3    0      ICMP GEN                    Yes     200       200         0
4    2      Routing Control             Yes     1800      1800        0
5    14     Forus Address resolution    No      1000      1000        0
6    3      ICMP Redirect               No      500       500         0
7    6      WLESS PRI-5                 No      1000      1000        0
8    4      WLESS PRI-1                 No      1000      1000        0
9    5      WLESS PRI-2                 No      1000      1000        0
10   6      WLESS PRI-3                 No      1000      1000        0
11   6      WLESS PRI-4                 No      1000      1000        0
12   0      BROADCAST                   Yes     200       200         0
13   10     Learning cache ovfl         Yes     100       100         0
14   13     Sw forwarding               Yes     1000      1000        0
15   8      Topology Control            No      13000     13000       0
16   12     Proto Snooping              No      500       500         0
17   16     DHCP Snooping               No      1000      1000        0
18   9      Transit Traffic             Yes     500       500         0
19   10     RPF Failed                  Yes     100       100         0
20   15     MCAST END STATION           Yes     2000      2000        0
21   13     LOGGING                     Yes     1000      1000        0
22   7      Punt Webauth                No      1000      1000        0
23   10     Crypto Control              Yes     100       100         0
24   10     Exception                   Yes     100       100         0
25   3      General Punt                No      500       500         0
26   10     NFL SAMPLED DATA            Yes     100       100         0
27   2      SGT Cache Full              Yes     1800      1800        0
28   10     EGR Exception               Yes     100       100         0
29   16     Show frwd                   No      1000      1000        0
30   9      MCAST Data                  Yes     500       500         0
31   10     Gold Pkt                    Yes     100       100         0
 

Monitoring CoPP

Follow these steps to display policer settings, such as, traffic types and policer rates (user-configured and default rates) for CPU queues.

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

show platform hardware fed switch switch-number qos que stat internal cpu policer

Displays the rates configured for the various traffic types.

Example


Device> enable
Device# show platform hardware fed switch 3 qos queue stats internal cpu policer
                                              (default)  (set)      
QId PlcIdx  Queue Name                Enabled   Rate     Rate      Drop
------------------------------------------------------------------------
0    11     DOT1X Auth                  No      1000      1000        0
1    1      L2 Control                  No      500       500         0
2    14     Forus traffic               No      1000      1000        0
3    0      ICMP GEN                    Yes     200       200         0
4    2      Routing Control             Yes     1800      1800        0
5    14     Forus Address resolution    No      1000      1000        0
6    3      ICMP Redirect               No      500       500         0
7    6      WLESS PRI-5                 No      1000      1000        0
8    4      WLESS PRI-1                 No      1000      1000        0
9    5      WLESS PRI-2                 No      1000      1000        0
10   6      WLESS PRI-3                 No      1000      1000        0
11   6      WLESS PRI-4                 No      1000      1000        0
12   0      BROADCAST                   Yes     200       200         0
13   10     Learning cache ovfl         Yes     100       100         0
14   13     Sw forwarding               Yes     1000      1000        0
15   8      Topology Control            No      13000     13000       0
16   12     Proto Snooping              No      500       500         0
17   16     DHCP Snooping               No      1000      1000        0
18   9      Transit Traffic             Yes     500       500         0
19   10     RPF Failed                  Yes     100       100         0
20   15     MCAST END STATION           Yes     2000      2000        0
21   13     LOGGING                     Yes     1000      1000        0
22   7      Punt Webauth                No      1000      1000        0
23   10     Crypto Control              Yes     100       100         0
24   10     Exception                   Yes     100       100         0
25   3      General Punt                No      500       500         0
26   10     NFL SAMPLED DATA            Yes     100       100         0
27   2      SGT Cache Full              Yes     1800      1800        0
28   10     EGR Exception               Yes     100       100         0
29   16     Show frwd                   No      1000      1000        0
30   9      MCAST Data                  Yes     500       500         0
31   10     Gold Pkt                    Yes     100       100         0

Additional References for CoPP

Related Documents

Related Topic Document Title

MQC QoS Commands, and CoPP show commands

Consolidated Platform Command Reference, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)

Error Message Decoder

Description Link

To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

Standards and RFCs

Standard/RFC Title
None

MIBs

MIB MIBs Link

All supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature History and Information For CoPP

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Feature Name

Releases

Feature Information

Control Plane Policing (CoPP) or CPP

This feature was introduced.

CLI configuration for CoPP

Cisco IOS XE Denali 16.1.2

This feature was made user-configurable. CLI configuration options to enable and disable CPU queues, to change the policer rate, and to set policer rates to default.