7.9. Configuring COPP ACL

Overview

Function Introduction

COPP is mainly used to diacard or limit the rate of the packets which is transmitted to cpu. It guarantees that cpu can deal with traffic normally. In the base of original exception, copp can make a careful control of the packets transmitted to cpu.

Principle Description

The following terms and concepts are used to describe ACL:

Access control entry (ACE): Each ACE includes an action element (permit or deny) and a series of filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters.
COPP ACL:COPP ACL deals with packets according to their exceptions, the system can support the following exceptions: any,ipda, fwd-to-cpu, slow-protocol, bpdu, erps, eapol, smart-link, dhcp, rip,ospf, pim, bgp, vrrp, ldp, ptp, rsvp, icmp-redirect, mcast-rpf-fail,macsa-mismatch,vlan-security-discard, post-security-discard, ip-option,udld,dot1x-mac-bypass, 12protocol-tunnel, arp, igmp, ssh, telnet, mlag. COPP only deals with the packets transmitted to cpu, it will not handle the forwarding packets.
Time Range: Time range can define a period of time only between which the ACE can be valid if the ACE is associated to the time range.

Configuration

In this example, use COPP ACL on interface eth-0-1, to discard the packets with arp exception transmitted to cpu. In the first place, you can use ixia to create a packet, Destination Address:0058.3F11.065D, Source Address:0000.0010.0000, the type of arp is arp-request, Sender Hardware Address:0000.0000.0000, Target Protocol Address:10.0.0.1,the rest configuration information is as follows.

step 1 Enter the configure mode

Switch# configure terminal

step 2 Create copp access list

copp access list:

Switch(config)# control-plane access-list test1
Switch(config-cp-acl)# deny exception arp arp-request
Switch(config-cp-acl)# exit

step 3 Create class-map, and bind the copp access list

Switch(config)# class-map type control-plane cmap1
Switch(config-cmap-cp)# match access-group test1
Switch(config-cmap-cp)# exit

step 4 Create policy-map and bind the class map

Switch(config)# policy-map type control-plane pmap1
Switch(config-pmap-cp)# class type control-plane cmap1
Switch(config-pmap-cp-c)# exit
Switch(config-pmap-cp)# exit

step 5 Apply the policy to the interface

Switch(config)# control-plane
Switch(config-control-plane)# service-policy type control-plane input pmap1

step 6 Exit the configure mode

Switch(config)# end

step 7 Validation

The result of show running-config is as follows:

Switch# show running-config
control-plane access-list test1
10 deny exception arp arp-request
 !
class-map type control-plane cmap1
match access-group test1
 !
policy-map type control-plane pmap1
class type control-plane cmap1

control-plane
service-policy type control-plane input pmap1

The result of show cpu traffic-statistics receive is as follows:

Switch# show cpu traffic-statistics receive
statistics rate time is 5 second(s)
reason count(packets) rate(pps)
arp 1029059 0
total 1029059 0

Application cases

N/A

latest.20241106