hit counter script

Classification For Copp; Rate Controlling Mechanisms - Cisco Nexus 9000 Series Configuration Manual

Nx-os security configuration guide, release 9.x
Hide thumbs Also See for Nexus 9000 Series:
Table of Contents

Advertisement

Configuring Control Plane Policing
Receive packets
Exception packets
Redirected packets
Glean packets
All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco
NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually
control the rate at which the supervisor module receives these packets.

Classification for CoPP

For effective protection, the Cisco NX-OS device classifies the packets that reach the supervisor modules to
allow you to apply different rate controlling policies based on the type of the packet. For example, you might
want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent
to the supervisor module because the IP option is set. You configure packet classifications and rate controlling
policies using class maps and policy maps.

Rate Controlling Mechanisms

Once the packets are classified, the Cisco NX-OS device has different mechanisms to control the rate at which
packets arrive at the supervisor module. Two mechanisms control the rate of traffic to the supervisor module.
One is called policing and the other is called rate limiting.
Using hardware policers, you can define separate actions for traffic that conforms to or violates certain
conditions. The actions can transmit the packet, mark down the packet, or drop the packet.
You can configure the following parameters for policing:
Committed information rate (CIR)
Packets that have the destination address of a router. The destination address can be a Layer 2 address
(such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These
packets include router updates and keepalive messages. Multicast packets can also be in this category
where packets are sent to multicast addresses that are used by a router.
Packets that need special handling by the supervisor module. For example, if a destination address is not
present in the Forwarding Information Base (FIB) and results in a miss, the supervisor module sends an
ICMP unreachable packet back to the sender. Another example is a packet with IP options set.
The following exceptions are possible from line cards only:
• match exception ip option
• match exception ipv6 option
• match exception ttl-failure
The following exceptions are possible from fabric modules only:
• match exception ipv6 icmp unreachable
• match exception ip icmp unreachable
The following exceptions are possible from line cards and fabric modules:
• match exception mtu-failure
Packets that are redirected to the supervisor module.
If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module
receives the packet and sends an ARP request to the host.
Desired bandwidth, specified as a bit rate or a percentage of the link rate.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Classification for CoPP
455

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents

Save PDF