44-8
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 44 Configuring Control Plane Policing and Layer 2 Control Packet QoS
Configuring Control Plane Policing
Class system-cpp-cgmp
Class system-cpp-ospf
Class system-cpp-hsrpv2
Class system-cpp-igmp
Class system-cpp-pim
Class system-cpp-all-systems-on-subnet
Class system-cpp-all-routers-on-subnet
Class system-cpp-ripv2
Class system-cpp-ip-mcast-linklocal
Class system-cpp-dhcp-cs
Class system-cpp-dhcp-sc
Class system-cpp-dhcp-ss
* Class telnet-class
police 80000 1000 byte conform-action drop exceed-action drop
Control Plane Policing Configuration Guidelines and Restrictions
When using (or configuring) control plane policing, consider these guidelines and restrictions:
All supervisor engines
When configuring CoPP, consider these guidelines:
• Only ingress CoPP is supported. Only the input keyword is supported in control plane-related CLIs.
• Control plane traffic can be policed only through CoPP. Traffic cannot be policed at the input
interface or VLAN even though a policy map containing the control plane traffic is accepted when
the policy map is attached to an interface or VLAN.
• Use ACLs and class maps to identify data plane and management plane traffic that are handled by
the CPU. U
1
ser defined class maps should be added to the system-cpp-policy policy map for CoPP.
• The default system-cpp-policy policy map does not define actions for the system-defined class maps
(no policing).
• The only action supported in system-cpp-policy is police.
• You can use both MAC and IP ACLs to define data plane and management plane traffic classes.
However, if a packet also matches a predefined ACL for the control plane traffic, a police (or no
police) action will operate on the control plane class because the control plane classes appear above
the user-defined classes in the service policy.
• The exceeding action policed-dscp-transmit is not supported for CoPP.
• Do not use the log keyword in CoPP policy ACLs. Instead, if you want to determine if rogue packets
are arriving, view the output of the show policy-map interface command or use the span feature.
Do not apply to Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E
• To police control plane traffic, use the system-defined class maps.
• System-defined class maps cannot be used in policy maps for regular QoS.
• The policy map named system-cpp-policy is dedicated for CoPP.
• CoPP is not enabled unless global QoS is enabled and a police action is specified.
1.
