Control Plane Policing

Control Plane Policing (CoPP)—available on the 5400R (v3-only mode), 3810M, and 2930 switch platforms—prevents flooding of certain types of packets from overloading the switch or module CPU by either rate-limiting or dropping packets. The switch software provides a number of default classes of packets that can be rate-limited, including broadcasts, MAC notifications, routing protocols (BGP, OSPF, RIP), and spanning tree protocols (MSTP and PVST).

To enable CoPP using all pre-defined traffic classes and their default rate limits:

switch(config)# copp traffic-class all limit default

The following predefined traffic class definitions, default limits (in packets per second), and configurable limit ranges are included in ArubaOS-Switch:

Traffic Class                 Default Limit             Limit Range
-------------------------------------------------------------------
station-arp                   512                       8 to 1024
station-icmp                  128                       8 to 1024
station-ip                    512                       8 to 1024
ip-gateway-control            128                       8 to 512 
ospf                          512                       8 to 1024
bgp                           512                       8 to 1024
rip                           512                       8 to 1024
multicast-route-control       256                       8 to 1024
loop-ctrl-mstp                256                       8 to 512 
loop-ctrl-pvst                256                       8 to 512 
loop-ctrl-loop-protect        256                       8 to 512 
loop-ctrl-smart-links         256                       8 to 512 
layer2-control-others         512                       8 to 1024
udld-control                  256                       8 to 256 
sampling                      256                       8 to 512 
icmp-redirect                 64                        8 to 128 
unicast-sw-forward            512                       8 to 1024
multicast-sw-forward          512                       8 to 1024
mac-notification              512                       8 to 1024
exception-notification        256                       8 to 512 
broadcast                     512                       8 to 512 
unclassified                  64                        8 to 512

Users can also create up to 8 custom CoPP traffic classes that may either rate-limit or drop packets based on destination IPv4/IPv6 address and/or TCP or UDP port.

This example limits SNMP traffic entering the switch, regardless of destination IP address, to a maximum of 80 packets per second:

switch(config)# copp user-def 1 ipv4 any udp 161 limit 80

With this CoPP class configured, SNMP packets entering the switch in excess of the allowed 80 per second are dropped.

This second example causes all Telnet packets entering the switch to be dropped:

switch(config)# copp user-def 2 ipv4 any tcp 23 drop

For more details, refer to the section “Control Plane Policing” in the chapter titled “Classifier-based software configuration” in the ArubaOS-Switch Advanced Traffic Management Guide.