Restrictions for CoPP
Restrictions for control plane policing (CoPP) include the following:
-
Only ingress CoPP is supported. The system-cpp-policy policy-map is available on the control plane interface, and only in the ingress direction.
-
Only the system-cpp-policy policy-map can be installed on the control plane interface.
-
The system-cpp-policy policy-map and the 17 system-defined classes cannot be modified or deleted.
-
Only the police action is allowed under the system-cpp-policy policy-map. The police rate for system-defined classes must be configured only in packets per second (pps); for user-defined class maps this must be configured only in bits per second (bps).
-
We recommend not disabling the policer for a system-defined class map, that is, do not configure the no police rate rate pps command. Doing so affects the overall system health in case of high traffic towards the CPU. Further, even if you disable the policer rate for a system-defined class map, the system automatically reverts to the default policer rate after system bootup in order to protect the system bring-up process.
-
When setting the policer rate, note that a clock frequency limitation causes differences in the
default rate
and theset rate
values displayed for some classes (even if you set the default rate for all classes). See the User-Configurable Aspects of CoPP and Example: Setting the Default Policer Rates for All CPU Queues topics in this chapter for more information. -
One or more CPU queues are part of each class-map. Where multiple CPU queues belong to one class-map, changing the policer rate of a class-map affects all CPU queues that belong to that class-map. Similarly, disabling the policer in a class-map disables all queues that belong to that class-map. See Table 1 for information about which CPU queues belong to each class-map.
-
The show run command does not display information about classes configured under
system-cpp policy
, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands instead.You can continue use the show run command to display information about custom policies.
-
A protocol with a huge number of CPU-bound packets may impact other protocols in the same class, as some of these protocols share the same policer. For example, Address Resolution Protocol (ARP) shares 4000 hardware policers with an array of host protocols like Telnet, Internet Control Message Protocol (ICMP), SSH, FTP, and SNMP in the system-cpp-police-forus class. If there is an ARP poisoning or an ICMP attack, hardware policers start throttling any incoming traffic that exceeds 4000 packets per second to protect the CPU and the overall integrity of the system. As a result, ARP and ICMP host protocols are dropped, along with any other host protocols that share the same class.