Control Plane Policing (CoPP)

CoPP provides a way to for administrators to protect the management processor on the switch from high packet loads (generated by malicious or nonmalicious sources) that might interfere with its ability to keep data plane traffic flowing. For example, a denial of service attack can result in excessive traffic that would slow down the management processor and negatively affect switch throughput.

A CoPP policy is composed of one or more classes. Each class defines a target protocol and how its traffic is managed. Every policy also has a default class to regulate packets that do not match any other class. The following actions can be applied for all packets matching a class:

  • Drop the packets. (Excluding the default class.)
  • Set the processing priority in the range 0 to 7.
  • Set the maximum data rate in packets per second (pps) at which each line module can send packets to the management processor.
  • Set the maximum burst size in packets at which each line module can send packets to the management processor.

Up to 32 CoPP policies can be defined, but only one can be active on the switch at a time.

A CoPP policy must always be active on the switch. By default, the switch has a CoPP policy named default which is automatically applied at first boot.

When the switch is rebooted, the CoPP policy that was actively applied to the switch before the reboot occurred will be applied if it was saved to the startup configuration with the copy running-config startup-config command.

For GRE tunneled traffic, CoPP policies match on the payload.

CoPP policies do not regulate traffic received from the Out-of-Band-Management (OOBM) Ethernet port.