36-28
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 36 Configuring Denial of Service Protection
Understanding How Control Plane Policing Works
Understanding How Control Plane Policing Works
The control plane policing (CoPP) feature increases security on the Cisco 7600 series router by
protecting the MSFC from unnecessary or DoS traffic and giving priority to important control plane and
management traffic. The PFC3 and DFC3 provide hardware support for CoPP. CoPP works with the
PFC3 rate limiters.
Note
The Supervisor Engine 2 does not support CoPP.
The PFC3 supports the built-in “special case” rate limiters that can be used when an ACL cannot classify
particular scenarios, such as IP options cases, TTL and MTU failure cases, packets with errors, and
multicast packets. When enabling the special-case rate limiters, the special-case rate limiters override
the CoPP policy for packets matching the rate-limiter criteria.
The traffic managed by the MSFC is divided into three functional components or
planes
:
•
Data plane
•
Management plane
•
Control plane
The majority of traffic managed by the MSFC is handled by way of the control and management planes.
You can use CoPP to protect the control and management planes, and ensure routing stability,
reachability, and packet delivery. CoPP uses a dedicated control plane configuration through the modular
QoS CLI (MQC) to provide filtering and rate-limiting capabilities for the control plane packets.
CoPP Default Configuration
CoPP is disabled by default.
CoPP Configuration Guidelines and Restrictions
When configuring CoPP, follow these guidelines and restrictions:
•
In releases earlier than Release 12.2(18)SXE, the PFC3 does not support the MQC class-default in
hardware; the class default is replaced with a normal class map. If you define a catch-all map, the
MQC class-default is supported in hardware.
•
Classes that match multicast are not applied in hardware but are applied in software.
•
CPP is not supported in hardware for broadcast packets. The combination of ACLs, traffic storm
control, and CPP software protection provides protection against broadcast DoS attacks.
•
CoPP does not support ARP policies. ARP policing mechanisms provide protection against ARP
storms.
•
CoPP does not support non-IP classes except for the default non-IP class. ACLs can be used instead
of non-IP classes to drop non-IP traffic, and the default non-IP CoPP class can be used to limit to
non-IP traffic that reaches the RP CPU.
•
Do not use the
log
keyword in CoPP policy ACLs.