Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1582
Views
0
Helpful
1
Replies

what does the default CoPP in 3850 use for?

Go to solution
tianwen.zhao
Level 1
Level 1

‎03-10-2019 05:57 PM

Hello everyone,

 

Here are the conf:

 

!
control-plane
 service-policy input system-cpp-policy
!
policy-map system-cpp-policy
 class system-cpp-police-data
  police rate 200 pps
 class system-cpp-police-routing-control
  police rate 1800 pps
 class system-cpp-police-control-low-priority
 class system-cpp-police-wireless-priority1
 class system-cpp-police-wireless-priority2
 class system-cpp-police-wireless-priority3-4-5
!
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
!
class-map match-any system-cpp-police-routing-control
  description Routing control
!
 
There is only the description in class-map ,and I can't see any ACL?
 
So, What does this CoPP use for ?
 
Thanks
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎03-10-2019 06:08 PM

Hi,

There is no ACL in CoPP. It is there to protect the route processor. From Copp document:

  • Control Plane Policing (CoPP) – CoPP is the Cisco IOS-wide route processor protection mechanism. As illustrated in Figure 2, and similar to rACLs, CoPP is deployed once to the punt path of the router. However, unlike rACLs that only apply to receive destination IP packets, CoPP applies to all packets that punt to the route processor for handling. CoPP therefore covers not only receive destination IP packets, it also exceptions IP packets and non-IP packets. In addition, CoPP is implemented using the Modular QoS CLI (MQC) framework for policy construction. In this way, in addition to simply permit and deny functions, specific packets may be permitted but rate-limited. This behavior substantially improves the ability to define an effective CoPP policy. (Note: that “Control Plane Policing” is something of a misnomer because CoPP generally protects the punt path to the route processor and not solely the control plane.)
  • Link
  • https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html
  • HTH

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎03-10-2019 06:08 PM

Hi,

There is no ACL in CoPP. It is there to protect the route processor. From Copp document:

  • Control Plane Policing (CoPP) – CoPP is the Cisco IOS-wide route processor protection mechanism. As illustrated in Figure 2, and similar to rACLs, CoPP is deployed once to the punt path of the router. However, unlike rACLs that only apply to receive destination IP packets, CoPP applies to all packets that punt to the route processor for handling. CoPP therefore covers not only receive destination IP packets, it also exceptions IP packets and non-IP packets. In addition, CoPP is implemented using the Modular QoS CLI (MQC) framework for policy construction. In this way, in addition to simply permit and deny functions, specific packets may be permitted but rate-limited. This behavior substantially improves the ability to define an effective CoPP policy. (Note: that “Control Plane Policing” is something of a misnomer because CoPP generally protects the punt path to the route processor and not solely the control plane.)
  • Link
  • https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html
  • HTH
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card