2.1.1 Configure Control Plane Policing

Information

Control Plane Policing is used to create a set of policies governing specific traffic. Normally this limits the volume and type of traffic that can be directed to the IP addresses on the device, as this traffic normally must be handled in process mode by the switch CPU. For instance, limiting the volume of ICMP traffic that can be sent to a device IP will both limit the CPU impact of that traffic and also limit the bandwidth that this traffic can take. With 10GB and faster interfaces available, both of these considerations are important.

Rationale:

You must configure control plane class maps for control plane policies.

You can classify traffic by matching packets based on existing ACLs. The permit and deny ACL keywords are ignored in the matching.

You can configure policies for IP version 4 (IPv4) and IP version 6 (IPv6) packets.

Impact:

Configuring Control Plane Policing both limits the impact of traffic (either diagnostic or malicious traffic) on the CPU and interfaces of the device. It also limits the impact of this traffic on available bandwidth - it can't restrict how much traffic is sent, but it certainly limits how much is processed, so by that limits the volume of reply traffic.
In many DOS attacks, ideally the attacker wants the volume of the reply traffic to exceed the traffic sent - getting the victim to 'amplify' the attack is almost always a desired goal of the attacker. This DOS attack can then be directed to a third 'victim' host by the use of spoofing, or the DOS attack may be just against the vulnerable device or host (in this case the NX-OS switch)

Solution

Normally the 'strict' Control Plane Policing Policy is recommended. If additional protections are required for a specific situation, then this policy can be copied - the copy can then be modified and applied.
As noted in the command's response, applying a COPP Policy may disrupt other control traffic.

switch(config)# copp profile strict
This operation can cause disruption of control traffic. Proceed (y/n)? [no] y
switch(config)#

Default Value:

By default, the 'strict' Control Plane Policing Policy is in place.

CISNXOS9# sho run | i copp

copp profile strict

The pre-configured COPP Policies that are available are:

Strict-This policy is 1 rate and 2 color. This setting gives the NX-OS switch the best DOS protection of the 5 options available.

Moderate-This policy is 1 rate and 2 color. The important class burst size is greater than the strict policy but less than the lenient policy.

Lenient-This policy is 1 rate and 2 color. The important class burst size is greater than the moderate policy but less than the dense policy.

Dense-This policy is 1 rate and 2 color. The policer CIR values are less than the strict policy.

Skip-No control plane policy is applied. (Not Recommended)

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Cisco

Control ID: b2a83b5f889a04b86de96cddde3b985d967d54613fde63a9d9a15856f3678604