CoPP provides a way for administrators to protect the management processor on the switch from high packet loads (generated by malicious or nonmalicious sources) that might interfere with its ability to keep data plane traffic flowing. For example, a denial of service attack can result in excessive traffic that would slow down the management processor and negatively affect switch throughput.

A CoPP policy is composed of one or more classes. Each class defines one or more target protocols and how their traffic is managed. Every policy also has a default class to regulate packets that do not match any other class. The following actions can be applied for all packets matching a class:

  • Drop the packets. (Excluding the default class.)

Up to 32 CoPP policies can be defined, but only one can be active on the switch at a time.

A CoPP policy must always be active on the switch. By default, the switch has a CoPP policy named default which is automatically applied at first boot.

When the switch is rebooted, the CoPP policy that was actively applied to the switch before the reboot occurred will be applied if it was saved to the startup configuration with the copy running-config startup-config command.

For GRE tunneled traffic, CoPP policies match on the payload.

CoPP policies do not regulate traffic received from the Out-of-Band-Management (OOBM) Ethernet port.