ch04lev1sec10.html

Control Plane Policing (CoPP) Feature

The traffic managed by a device can be divided into three functional components or planes:

Data plane
Management plane
Control plane

The vast majority of traffic flows through the device via the data plane; however, the route processor handles certain traffic, such as routing protocol updates, remote-access services, and network management traffic such as SNMP. This type of traffic is referred to as the control and management plane. The route processor is critical to network operation. Therefore any service disruption or security compromise to the route processor, and hence the control and management planes, can result in network outages that impact regular operations. For example, a DoS attack targeting the route processor typically involves high bursty traffic resulting in excessive CPU utilization on the route processor. Such attacks can be devastating to network stability and availability. The bulk of traffic managed by the route processor is handled by way of the control and management planes.

The CoPP feature is used to protect the aforementioned control and management planes; to ensure stability, reachability, and availability and to block unnecessary or DoS traffic. CoPP uses a dedicated control plane configuration through the modular QoS CLI (MQC) to provide filtering and rate limiting capabilities for the control plane packets.

As mentioned earlier, the CoPP feature is available on all major Cisco router series including ISR. Table 4-2 provides a complete list of compatible hardware and software support.

Table 4-2. CoPP Support on Cisco Routers
Router Models Cisco IOS Software Release
Cisco 12000 Series Release 12.0(29)S and later
Cisco 7600 Series Release 12.2(18)SXD1 and later
Cisco 6500 Series Release 12.2(18)SXD1 and later
Cisco 7200 Series Cisco 7500 Series Release 12.2(18)S and later
Cisco 1751 Router
Cisco 2600/2600-XM Series

Cisco 3700 Series
Cisco 7200 Series Release 12.3(4)T and later
Cisco 1800 Series Cisco 2800 Series Release 12.3(8)T and later
Cisco 3800 Series Release 12.3(11)T and later

Table 4-2. CoPP Support on Cisco Routers
Router Models	Cisco IOS Software Release
Cisco 12000 Series	Release 12.0(29)S and later
Cisco 7600 Series	Release 12.2(18)SXD1 and later
Cisco 6500 Series	Release 12.2(18)SXD1 and later
Cisco 7200 Series Cisco 7500 Series	Release 12.2(18)S and later
Cisco 1751 Router Cisco 2600/2600-XM Series Cisco 3700 Series Cisco 7200 Series	Release 12.3(4)T and later
Cisco 1800 Series Cisco 2800 Series	Release 12.3(8)T and later
Cisco 3800 Series	Release 12.3(11)T and later

Perform the following steps to configure and apply the CoPP feature:

Step 1.	Define a packet classification criterion. There are a number of ways to categorize the type of traffic—for example, by using an access list or protocol or IP precedence values. Code View: Hostname(config)# class-map {traffic_class_name} Hostname(config-cmap)# match {access-list \| protocol \| ip prec \| ip dscp \| vlan}
Step 2.	Define a service policy. Note that flow policing is the only valid option available (as of this writing) in the policy map for CoPP. Code View: Hostname(config-pmap)# policy-map {service_policy_name} Hostname(config-pmap)# class {traffic_class_name} Hostname(config-pmap-c)# police <rate> conform-action <action> exceed-action <action>

Step 3.	Enter control plane configuration mode using the control-plane global command. In this CP submode, the service policies are attached to the control plane. Hostname(config)# control-plane
Step 4.	Apply QoS policy configured to the control plane. Hostname(config-cp)# service-policy {input \| output} {service_policy_name}

Note

The CoPP feature is also available as part of the integrated Network Foundation Protection (NFP) security features on the Cisco ISR (Integrated Services Router) platforms.