11
Control Plane Policing (CoPP)
Control plane policing (CoPP) protects the Z9500 routing, control, and line-card processors from
undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows.
CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which
provide filtering and rate-limiting capabilities for control-plane packets. CoPP is only applied to control-
plane packets destined to CPUs on the switch, and not to transit protocol-control packets and data traffic
that is passing through the switch. CoPP prevents undesired or malicious traffic from reaching the
control-plane CPUs and rate limits legitimate control-plane traffic to acceptable limits.
Z9500 CoPP Implementation
The Z9500 control plane consists of multi-core CPUs with internal queues for handling packets destined
to the Route Processor, Control Processor, and line-card CPUs.
On the Z9500, CoPP is implemented as a distributed architecture. In this architecture, CoPP operates
simultaneously in both distributed and aggregated modes. Distributed CoPP is achieved by applying
protocol rate-limiting on each port pipe on a line card. Aggregated CoPP is achieved by applying
protocol rate-limiting followed by queue rate-limiting on the centralized control plane on the switch.
Only aggregated CoPP rate limits are user-configurable. Distributed CoPP rate limits applied at the port-
pipe level are internally derived from the aggregated CoPP configuration.
NOTE:
The CoPP configurations described in this chapter only apply to aggregated CoPP operation on the
Z9500.
To configure a CoPP service policy, you create extended ACL rules and specify rate limits in QoS policies.
QoS rate limits are applied to a protocol-based ACL filter or to a CPU queue.
User-configured ACLs that filter protocol traffic flows to the control plane are automatically applied or
disabled as the corresponding protocol is enabled or disabled in the system. In this way, control packets
from disabled protocols never reach the control plane.
Protocol-based Control Plane Policing
To configure a protocol-based CoPP policy, you create an extended ACL rule for the protocol and
specify the rate limit in a QoS policy. It is not necessary to specify the CPU queue because the protocol-
queue mapping is handled internally by the system. To display the protocol-queue mapping for protocols
that you can configure for protocol-based CoPP, enter the show {mac | ip | ipv6} protocol-queue-
mapping command.
Control Plane Policing (CoPP)
223