Classes of traffic

The different classes of traffic that can be individually configured are:

  • acl-logging: Access Control List logging packets.

  • arp-broadcast: Address Resolution Protocol packets with a broadcast destination MAC address.

  • arp-protect: Address Resolution Protocol packets intercepted and inspected for ARP protection.

  • arp-unicast: Address Resolution Protocol packets with a switch system destination MAC address.

  • bfd-control: Bidirectional Forwarding Detection (BFD) control packets with a destination IP address owned by the switch.

    NOTE: The bfd-control class is not supported for 6200 switch.
  • bgp: Border Gateway Protocol packets with a destination IPv4 or IPv6 address owned by the switch.

    NOTE: The bgp class is not supported for 6200 switch.
  • captive-portal: Packets intercepted in support of the Captive Portal feature.

  • dhcp: Dynamic Host Configuration Protocol packets. Also includes snooped DHCP packets if DHCP snooping is enabled.

  • erps: Ethernet Ring Protection Switching control packets with the destination MAC address 01:19:a7:00:00:XX, where XX can be any value.

  • icmp-broadcast-ipv4: Internet Control Message Protocol packets with a broadcast or multicast destination IPv4 address.

  • icmp-multicast-ipv6: Internet Control Message Protocol packets with a well-known multicast destination IPv6 address.

  • icmp-security-ipv6: IPv6 Internet Control Message Protocol packets intercepted and inspected.

  • icmp-unicast-ipv4: Internet Control Message Protocol packets with a destination IPv4 address owned by the switch

  • icmp-unicast-ipv6: Internet Control Message Protocol packets with a destination IPv6 address owned by the switch.

  • ieee-8021x: IEEE 802.1X protocol packets with EtherType 0x0888E.

  • igmp: Internet Group Management Protocol packets.

  • ip-exceptions: Routable packets that would exceed the MTU for the egress interface, packets that trigger ICMP redirects, and packets with TTL/hop_limit=1 that are discarded when routing through the switch.

  • ip-lockdown: Packets denied and logged due to violation of allowed "IP address/VLAN/port/MAC address" association.

  • ip-tracker: Track packets received for client IP address tracking.

    NOTE: The ip-tracker class is not supported for 6300 and 6400 switches.
  • ipsec: Internet Protocol Security IPv4 or IPv6, unicast or configured multicast. All IPsec traffic received by the CPU will be regulated by the ipsec class regardless of the encapsulated protocol.

  • ipv4-options: Unicast IPv4 packets including option headers.

  • lacp: Link Aggregation Control Protocol packets with the destination MAC address 01:80:c2:00:00:02.

  • lldp: Link Layer Discovery Protocol packets with the destination MAC address 01:80:c2:00:00:0e.

  • loop-protect: Loop Protection packets with the destination MAC address 09:00:09:09:13:a6.

  • mac-lockout: Packets denied and logged due to locked-out MAC address.

  • manageability: Unicast IP packets addressed to the switch for specific protocols that do not have a dedicated CoPP class like HTTP, SSH, RADIUS.

  • mirror-to-cpu: Packets from mirroring session configured to deliver to the console.

  • mld: Multicast Listener Discovery packets of type V1 or V2 with an IPv6 address of FF00::/8, FF02::16 or FF02::2.

  • mvrp: Multiple VLAN Registration Protocol packets with the destination MAC address 01:80:c2:00:00:20 or 01:80:c2:00:00:21

  • ntp: Network Time Protocol packets with a destination IP address owned by the switch.

  • ospf-multicast: Open Shortest Path First packets with the multicast destination IPv4 address 224.0.0.5 or 224.0.0.6, or IPv6 address FF02::5 or FF02::6.

  • ospf-unicast: Open Shortest Path First packets with a local destination IPv4 address or IPv6 address.

  • pim: Protocol Independent Multicast packets with the destination IPv4 address 224.0.0.13 or IPv6 address FF02::D, or with a destination IP address owned by the switch.

    NOTE: The pim class is not supported for 6200 switch.
  • secure-learn: Packets intercepted and inspected to see if source MAC address is allowed on the port.

  • sflow: Packet headers sampled by the switch that will be sent to the sFlow collector.

  • stp: Spanning Tree Protocol (STP) packets with the destination MAC address 01:80:c2:00:00:00 or Per-VLAN Spanning Tree (PVST) packets with the destination MAC address 01:00:0c:cc:cc:cd.

  • udld: Unidirectional Link Detection packets with the destination MAC address 01:00:0c:cc:cc:cc or 00:e0:52:00:00:00, or Cisco Discovery Protocol packets with the destination MAC address 01:00:0c:cc:cc:cc.

  • unknown-multicast: Packets with an unknown multicast destination IP address.

  • unresolved-ip-unicast: Packets to be software forwarded by the management processor.

  • vrrp: Virtual Router Redundancy Protocol packets with the destination IPv4 address 224.0.0.18 or IPv6 address FF02::12, or VSX-Keepalive packets.

    NOTE: The vrrp class is not supported for 6200 switch.
To regulate any other traffic destined for the CPU, every CoPP policy has a class named default that can also be configured to regulate other traffic to the CPU or prevent other traffic from being delivered.
NOTE:

All IPsec traffic received by the CPU will be regulated by the ipsec class regardless of the encapsulated protocol.

When ARP protection is enabled on the system, all ARP traffic will be regulated by the arp-protect class, regardless of the ARP destination and configuration of arp-broadcast or arp-unicast CoPP classes.

Packets for each of the CoPP classes above may have arrived through a tunnel, if tunneling was enabled.