Classes of traffic

The different classes of traffic that can be individually configured are:

  • acl-logging: Access Control List logging packets.

  • arp-broadcast: Address Resolution Protocol packets with a broadcast destination MAC address.

  • arp-unicast: Address Resolution Protocol packets with a switch system destination MAC address.

  • arp-protect: Address Resolution Protocol packets intercepted and inspected for ARP protection.

  • bfd-control: Bidirectional Forwarding Detection (BFD) control packets with a destination IP address owned by the switch.

  • bgp-ipv4: Border Gateway Protocol packets with a destination IPv4 address owned by the switch and the Layer 4 protocol is TCP.

  • dhcp: Dynamic Host Configuration Protocol packets with a local destination address and the Layer 4 protocol is UDP. Also includes snooped DHCP packets if DHCP snooping is enabled.

  • hypertext: Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) packets.

  • icmp-broadcast-ipv4: Internet Control Message Protocol packets with the broadcast destination IPv4 address 255.255.255.255 or a destination IPv4 subnet broadcast address.

  • icmp-multicast-ipv6: Internet Control Message Protocol packets with a well-known multicast destination IPv6 address.

  • icmp-unicast-ipv4: Internet Control Message Protocol packets with a destination IPv4 address owned by the switch

  • icmp-unicast-ipv6: Internet Control Message Protocol packets with a destination IPv6 address owned by the switch.

  • igmp: Internet Group Management Protocol packets.

  • ip-exceptions: Internet Protocol exception packets with TTL == 1 that are forwarded through the switch (or hop limit == 1 in the case of ipv6), as well as ICMP redirects.

  • ipsec: Internet Protocol Security IPv4 or IPv6, unicast or configured multicast. All IPsec traffic received by the CPU will be regulated by the 'ipsec' class regardless of the encapsulated protocol.

  • ipv4-options: Unicast IPv4 packets including option headers.

  • lacp: Link Aggregation Control Protocol packets with the destination MAC address 01:80:c2:00:00:02.

  • lldp: Link Layer Discovery Protocol packets with the destination MAC address 01:80:c2:00:00:0e.

  • loop-protect: Loop Protection packets with the destination MAC address 09:00:09:09:13:a6.

  • mirror-to-cpu: Packets from mirroring session configured to deliver to the console.

  • mld: Multicast Listener Discovery packets of type V1 or V2 with an IPv6 address of FF00::/8, FF02::16 or FF02::2.

  • mvrp: Multiple VLAN Registration Protocol packets with the destination MAC address 01:80:c2:00:00:20 or 01:80:c2:00:00:21

  • ntp: Network Time Protocol packets with a destination address owned by the switch and the Layer 4 protocol is UDP.

  • ospf-multicast: Open Shortest Path First packets with the multicast destination IPv4 address 224.0.0.5 or 224.0.0.6, or IPv6 address FF02::5 or FF02::6. Also includes OSPF multicast packets received from a 6in6 tunnel.

  • ospf-unicast: Open Shortest Path First packets with a local destination IPv4 address or IPv6 address. Also includes OSPF unicast packets received from a 6in6 tunnel.

  • pim: Protocol Independent Multicast packets with the destination IPv4 address 224.0.0.13 or IPv6 address FF02::D, or Multicast Source Discovery Protocol (MSDP) packets, or with a destination IP address owned by the switch. Also includes PIM packets received from a 6in6 tunnel.

  • sflow: Packet headers sampled by the switch that will be sent to the sFlow collector.

  • ssh: Secure Shell (SSH) or Secure File Transfer Protocol (SFTP) packets. Dropping ssh packets will result in the connection to the CLI being lost.

  • stp: Spanning Tree Protocol (STP) packets with the destination MAC address 01:80:c2:00:00:00 or Per-VLAN Spanning Tree (PVST) packets with the destination MAC address 01:00:0c:cc:cc:cd.

  • udld: Unidirectional Link Detection packets with the destination MAC address 01:00:0c:cc:cc:cc or 00:e0:52:00:00:00.

  • unknown-multicast: Packets with an unknown multicast destination IP address. Also includes unknown multicast packets received from a 6in6 tunnel.

  • unresolved-ip-unicast: Packets to be software forwarded by management processor.

  • vrrp: Virtual Router Redundancy Protocol packets with the destination IPv4 address 224.0.0.18 or IPv6 address FF02:0:0:0:0:0:0:12 or VSX-Keepalive packets.

To regulate any other traffic destined for the CPU, every CoPP policy has a class named 'default' that can also be configured to regulate other traffic to the CPU or prevent other traffic from being delivered.
NOTE:

All IPsec traffic received by the CPU will be regulated by the 'ipsec' class regardless of the encapsulated protocol.

When ARP protection is enabled on the system, all ARP traffic will be regulated by the arp-protect class, regardless of the ARP destination and configuration of arp-broadcast or arp-unicast CoPP classes.