Control Plane Policing

NOTE:

Control Plane Policing (CoPP) is available only on switches running KB software (3810 switch-series) and v3-only mode for the 5400R.

CoPP prioritizes traffic handled by the CPU and also serves to protect the device from Denial-of-Service (DoS) attacks.

Aruba OS now supports policing the different CPU traffic classes based on a user configurable set of rate limits. The feature is disabled by default and can be enabled using a set of CoPP CLI commands, which can do either of the following:

  • Apply a default rate-limit profile to all traffic classes via a single command

  • Apply a rate limit on a per-traffic class

The following types of traffic may be copied to the CPU:

  • Control plane. Packets are sent or received at the switch or router CPU, which forms the network. Examples are OSPF, BGP>RIP>IGMP, layer 2 control (for example, STP, PVST, loop-protect).

  • Data plane. User generated traffic to be forwarded to another end host. Packets are copied to the CPU in the following cases:
    • Unknown ip destination packets (unicast and multicast).

    • Mac-notifications (learns and moves), exception-notification(security violation), and broadcast packets.

  • Management plane. Traffic that is used to manage (access, monitor, and program) the network device (for example, Telnet, ftp, and snmp). These are handled by the appropriate applications running at the switch CPU.