CoPP – Control Plane Policing

Table of Contents

CoPP Config and Management

Examples

Limitations

CoPP Config and Management

The control plane policing (CoPP) feature increases security on the switch by protecting the CPU from unnecessary or DoS traffic and giving priority to the important control plane and management traffic.

"COPP_GROUP": {
           "default": {
                   "queue": "0",
                   "meter_type":"packets",
                   "mode":"sr_tcm",
                   "cir":"600",
                   "cbs":"600",
                   "red_action":"drop"
           },
           "queue4_group1": {
                   "trap_action":"trap",
                   "trap_priority":"4",
                   "queue": "4",
                   "meter_type":"packets",
                   "mode":"sr_tcm",
                   "cir":"6000",
                   "cbs":"6000",
                   "red_action":"drop"
           },
           "queue4_group2": {
                   "trap_action":"copy",
                   "trap_priority":"4",
                   "queue": "4",
                   "meter_type":"packets",
                   "mode":"sr_tcm",
                   "cir":"600",
                   "cbs":"600",
                   "red_action":"drop"
           },
...

2. “COPP_TRAP” manages traps for different types of traffic.

"COPP_TRAP": {
        "bgp": {
                "trap_ids": "bgp,bgpv6",
                "trap_group": "queue4_group1"
        },
        "lacp": {
                "trap_ids": "lacp",
                "trap_group": "queue4_group1",
                "always_enabled": "true"
        },
        "arp": {
                "trap_ids": "arp_req,arp_resp,neigh_discovery",
                "trap_group": "queue4_group2",
                "always_enabled": "true"
        },
        "lldp": {
                "trap_ids": "lldp",
                "trap_group": "queue4_group3"
        },
        "dhcp_relay": {
                "trap_ids": "dhcp,dhcpv6",
                "trap_group": "queue4_group3"
        },
        "udld": {
                "trap_ids": "udld",
                "trap_group": "queue4_group3",
                "always_enabled": "true"
        },
        "ip2me": {
                "trap_ids": "ip2me",
                "trap_group": "queue1_group1",
                "always_enabled": "true"
        },
        "macsec": {
                "trap_ids": "eapol",
                "trap_group": "queue4_group1"
        },
        "nat": {
                "trap_ids": "src_nat_miss,dest_nat_miss",
                "trap_group": "queue1_group2"
        },
        "sflow": {
                "trap_group": "queue2_group1",
                "trap_ids": "sample_packet"
        }
}

Examples

To check and change the sampling rate for ARP packets, we need to check the corresponding COPP_TRAP section:

"arp": {
        "trap_ids": "arp_req,arp_resp,neigh_discovery",
        "trap_group": "queue4_group2",
        "always_enabled": "true"
},

These traps belong to the queue4_group2 group, and in the COPP_GROUP section we can see:

"queue4_group2": {
        "trap_action":"copy",
        "trap_priority":"4",
        "queue": "4",
        "meter_type":"packets",
        "mode":"sr_tcm",
        "cir":"600",
        "cbs":"600",
        "red_action":"drop"
},

We have a limit of 600 packets per second, and all packets above this value will get dropped.

Limitations

User is expected to resolve any conflicts, say for a trap id or group, that arises due to values configured by the user.

NEWS

Latest news