Overview of Control Plane Policing (CoPP)
CoPP is a QoS feature used in security that rate-limits the traffic handled by the route processor (RP). CoPP is a modular QoS CLI (MQC) policy to rate-limit, drop and granularly permit traffic to or from the RP. The RP handles traffic that is categorized into three planes:
- Data plane
- Management plane
- Control plane
The control plane is a collection of processes that run at the process level on the route processor (RP). These processes collectively provide high-level control over most IOS functions. All packets destined for the control plane pass through the central switch engine before they are forwarded to the process level. The control-plane and central switch engine are part of the RP.
Majority of traffic managed by the RP is handled by way of the control and management planes. Such traffic includes:
- Routing protocol updates (IGP, BGP)
- Management traffic such as SNMP, SSH, Telnet, NTP, HTTP(S), etc.
- Traffic destined for a local IP address of the switch/router i.e., the local router or switch is the destination of the traffic.
Control-plane Policing (CoPP) provides rate-limiting and filtering capabilites to control the number of packets that have to be processed by the RP of a router or switch. This helps in reducing the load on a router’s RP at any given point in time. It helps protect the RP from denial-of-service (DoS) attacks, and other flooding attacks, reconnaisance attacks.
When implementing CoPP, it is important to rate-limit traffic on all interfaces destined for the local router. A logical interface exists on all routers called the control plane interface. Rate-limiting packets on this interface applies the rate-limit to all the physical interfaces. Quality of Service (QoS) and policing on the control plane interface rate-limits packets entering any interface to protect the RP.
Configuring CoPP
To implement CoPP, the following sequence of steps should be followed:
- Categorize network traffic into classes using Access Control List (ACLs).
- Create a Class Map (CM) to identify traffic to be policed (rate-limited).
- Create a Policy Map (PM) to define the action to take on identified traffic by implementing a defined policy.
- Create a Service Policy which specifies where to apply the policy map
CoPP is hardware-accelerated if the command mls qos is
applied.
Categorize Network Traffic using ACLs
Traffic to be rate-limited needs to first be identified and categorized into different classes based on importance, function or protocol type.
ACLs are used to identify and classify traffic to be rate-limited. These classes include:
- BGP
- IGP
- Critical applications
- File management
- Interactive management
- Monitoring
- Default
permit ip any any.
Extended ACLs are usually used for classifying traffic as they can be configured to match the traffic port/protocol numbers.
During categorization of traffic, it is important to note that traffic for certain classes such as SNMP, (T)FTP, GRE, is originated from known sources. In such cases, the ACE entries in these ACLs should explicitly define the source IP address. If the ports for these traffic sources is known, then the ACEs should be configured to permit traffic from these specific port numbers as well.
The different traffic categories include:
- BGP: For maintaining BGP operations such as neighbor formation and
maintenance, prefix exchange. BGP uses TCP port source port 179; when configuring
ACE entries, the BGP port number or keyword
bgpare valid high-level protocols for matching against.R1(config)#ip access-list extended ACL_COPP_BGP
R1(config-ext-nacl)#remark BGP traffic
R1(config-ext-nacl)#10 permit tcp any gt 1024 any eq bgp
R1(config-ext-nacl)#20 permit tcp any gt 1024 any eq bgp established
- IGP: traffic for formation and maintenance of IGP protocols such as
EIGRP, OSPF, RIP. OSPF uses IP protocol number 89 and IPv4 multicast addresses
224.0.0.5 and 224.0.0.6 or IPv6 multicast address FF02::5 and FF02::6. EIGRP uses IP protocol number 88 and IPv4 multicast address
224.0.0.10 IPv6 multicast address FF02::A. The IP protocols can also be matched
using the keywords
eigrporospf.R1(config)#ip access-list extended ACL_COPP_IGP
R1(config-ext-nacl)#10 permit ospf any host 224.0.0.5
R1(config-ext-nacl)#20 permit ospf any host 224.0.0.6
R1(config-ext-nacl)#30 permit ospf host 224.0.0.5 any
R1(config-ext-nacl)#50 permit eigrp any host 224.0.0.10
R1(config-ext-nacl)#60 permit eigrp host 224.0.0.10 any
- Monitoring and Reporting: traffic for monitoring the switch or router
such as ICMP, IP SLA.
R1(config)#ip access-list extended ACL_COPP_MONITOR
R1(config-ext-nacl)#10 permit icmp any any
R1(config-ext-nacl)#10 permit icmp any any echo
R1(config-ext-nacl)#20 permit icmp any any echo-reply
R1(config-ext-nacl)#30 permit icmp any any unreachable
R1(config-ext-nacl)#40 permit icmp any any port-unreachable
- Interactive Management: traffic that is interactive in nature and is
required for routine network operations such as SSH, Telnet, SNMP, NTP, TACACS.
This type of traffic is usually low-volume.
R1(config)#ip access-list extended ACL_COPP_INT_MGMT
R1(config-ext-nacl)#remark Interactive file management
R1(config-ext-nacl)#10 permit tcp host 10.20.2.1 host 10.1.10.1 eq 22
R1(config-ext-nacl)#20 permit udp host 10.1.10.1 host 10.30.5.1 eq 161
R1(config-ext-nacl)#30 permit udp host 10.1.10.1 host 10.30.5.1 eq 162
R1(config-ext-nacl)#50 permit udp host 10.1.10.1 host 10.80.1.1 eq ntp
- File Management: this type of traffic is used to transfer files.
Protocols in this category include: TFTP, FTP.
This type of traffic is usually high-volume.
R1(config)#ip access-list ACL_COPP_FILE_MGMT
R1(config-ext-nacl)#10 permit tcp any host 10.1.10.1 eq ftp
R1(config-ext-nacl)#20 permit tcp host 10.1.10.1 eq ftp any
R1(config-ext-nacl)#30 permit tcp any host 10.1.10.1 eq ftp-data established
R1(config-ext-nacl)#40 permit tcp host 10.1.10.1 eq ftp-data any established
- Critical applications: protocols in this category include GRE, HSRP,
GLBP, DHCP, IPsec, VRRP, IGMP, multicast traffic.
R1(config)#ip access-list extended ACL_COPP_CRITICAL_APPLICATIONS
R1(config-ext-nacl)#remark Critical applications
R1(config-ext-nacl)#10 permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc
R1(config-ext-nacl)#20 permit udp host 10.10.1.20 eq bootps any eq bootps
R1(config-ext-nacl)#30 permit ip any host 22.0.0.2
bootpcandbootpsare the keywords for DHCP. - Undesirable: malicious traffic that should not be allowed to be processed by the RP. Such traffic may be generated by malware. The port numbers, transport protocol used etc of malware can only be known if the malware has has been profiled .
- Default: traffic that does not fit into any of the above categories. This traffic should be rate-limited until some specific types within this category can be classified and grouped into newer groups or classified under existing (above) listed groups.
Create Class Maps to Define Traffic Class
Class maps are used to define classes of the traffic to be rate-limited. A class map may reference an ACL, protocol, IP Prec or IP DSCP values in a packet.
A separate class-map should be created for each of the configured ACLs for each traffic category. Class-maps have a default class-map that deals with traffic that is not explicitly defined. A separate class-map should be explicitly configured for the default traffic ACL.
- Define the class map name: using the command
class-map <match-any | match-all> <class-map-name>. The matching instruction ismatch-anyormatch-allmatch-any:traffic must match only one of the commands to be classified as part of the traffic class.match-all:traffic must match all the match commands to be part of the traffic class. Care must be taken withmatch-allkeyword as the traffic will have to match all characteristics in all the match commands.
- Specify how the traffic will be matched: using the command
match [access-group [<acl-number> | name <acl>] | protocol | ip prec | ip dscp]- Access-group: reference the previously configured access control list
matchstatement. ACL names are case sensitive. - Protocol: You can match by protocol instead of ACL; for example
to match ARP packets;
match protocol arp - IP Prec | IP dscp: to match against an IP packet's Precedence or DSCP fields
- Access-group: reference the previously configured access control list
R1(config)#class-map match-all CM_COPP_BGP
R1(config-cmap)#match access-group name ACL_COPP_BGP
R1(config)#class-map match-all CM_COPP_CRITICAL_APPLICATIONS
R1(config-cmap)#match access-group name ACL_COPP_CRITICAL_APPLICATIONS
R1(config-cmap)#exit
R1(config)#class-map match-all CM_COPP_FILE_MGMT
R1(config-cmap)#match access-group name ACL_COPP_FILE_MGMT
R1(config-cmap)#exit
R1(config)#class-map match-all CM_COPP_IGP
R1(config-cmap)#match access-group name ACL_COPP_IGP
R1(config-cmap)#class-map match-all CM_COPP_INT_MGMT
R1(config-cmap)#match access-group name ACL_COPP_MGMT
R1(config-cmap)#class-map match-all CM_COPP_MONITOR
R1(config-cmap)#match access-group name ACL_COPP_MONITOR
R1(config-cmap)#class-map match-all CM_COPP_DEFAULT
R1(config-cmap)#match access-group name ACL_COPP_DEFAULT
Verification
R1#show class-map
Class Map match-all CM_COPP_INT_MGMT (id 5)
Match access-group name ACL_COPP_MGMT
Class Map match-any class-default (id 0)
Match any
Class Map match-all CM_COPP_FILE_MGMT (id 3)
Match access-group name ACL_COPP_FILE_MGMT
Class Map match-all CM_COPP_DEFAULT (id 7)
Match access-group name ACL_COPP_DEFAULT
Class Map match-all CM_COPP_MONITOR (id 6)
Match access-group name ACL_COPP_MONITOR
Class Map match-all CM_COPP_BGP (id 1)
Match access-group name ACL_COPP_BGP
Class Map match-all CM_COPP_IGP (id 4)
Match access-group name ACL_COPP_IGP
Class Map match-all CM_COPP_CRITICAL_APPLICATIONS (id 2)
Match access-group name ACL_COPP_CRITICAL_APPLICATIONS
Create Policy Maps to Define a Service Policy
Policy maps are used to define the rate-limit parameters of the classified traffic. Policy maps are used to associate the traffic class (defined with a class map) with one or more policies resulting in a service policy. To configure a policy map:
- Define the policy map name: using the command
policy-map <service-policy-name> - Reference a configured class map: using the command
class <traffic-class-name> - Define the rate-limit threshold and action: at which traffic will
be rate-limited, and action to take for conformal traffic, and rate-limit
violation using the command
police <cir | rate> conform-action <transmit | drop> exceed-action <transmit | drop> violate-action <transmit | drop>
Each class-map should be associated with a policy map that permits all traffic.
The policy for each class should be set as conform-action transmit exceed-action transmit.
Some control-plane policing rates along with recommended actions:
| Class | Rate(pps) | Rate(bps) | Conform action | Exceed action |
| BGP | 500 | 4000000 | Transmit | Drop |
| IGP | 50 | 300000 | Transmit | Drop |
| Monitoring and reporting | 125 | 900000 | Transmit | Drop |
| Interactive management | 100 | 500000 | Transmit | Drop |
| File management | 500 | 6000000 | Transmit | Drop |
| Critical applications | 125 | 900000 | Transmit | Drop |
| Undesirable | 100 | 0 | Drop | Drop |
| Default | 100 | 1000000 | Transmit | Drop |
R1(config)#policy-map PM_COPP
R1(config-pmap)#class CM_COPP_BGP
R1(config-pmap-c-police)#police cir 4000000 bc 4000000 be 4000000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_IGP
R1(config-pmap-c)#police cir 300000 bc 60000 be 60000 c conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_CRITICAL_APPLICATIONS
R1(config-pmap-c)#cir 900000 bc 180000 be 180000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_MONITOR
R1(config-pmap-c)#police cir 900000 bc 180000 be 180000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_FILE_MGMT
R1(config-pmap-c)#police cir 6000000 bc 1200000 be 1200000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap)#class CM_COPP_INT_MGMT
R1(config-pmap-c)#police cir 500000 bc 100000 be 100000 conform-action transmit exceed-action drop
Verification
R1#show policy-map
Policy Map PM_COPP
Class CM_COPP_IGP
police cir 300000 bc 60000 be 60000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_INT_MGMT
police cir 500000 bc 100000 be 100000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_BGP
police cir 4000000 bc 800000 be 800000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_FILE_MGMT
police cir 6000000 bc 1200000 be 1200000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_CRITICAL_APPLICATIONS
police cir 900000 bc 180000 be 180000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_MONITOR
police cir 90000 bc 18000 be 10800
conform-action transmit
exceed-action drop
violate-action drop
R1#
The policy map configuration will protect a device's RP from being overwhelmed by control-plane traffic. For illustrative purposes, the following CIR rate for ICMP traffic will be made artificially low.
R1#show policy-map
Policy Map PM_COPP
!Output omitted for brevity
Class CM_COPP_MONITOR
police cir 90000 bc 18000 be 10800
conform-action transmit
exceed-action drop
violate-action drop
R1#
Apply the Policy Map
A policy map can be applied to a single interface or all interfaces. Depending on your security model, you may wish to apply different policy-maps with different rates to all interfaces and other policies to specific interfaces for instance, the interface pointing to the Internet may have a more restrictive policing than that connected to the internal network.
Apply policy map to all interfaces
A router has a single control-plane interface. To apply the policy-map to all interfaces, enter the control-plane configuration mode and apply the policy-map;
R1(config)#control-plane
R1(config-cp)#service-policy input PM_COPP
The input keyword enforces the policy on ingress traffic.
Apply the policy-map to a single interface
To apply the policy-map to a single interface, enter the specific interface and configure the policy map using the service-policy interface command;
R1(config)#interface g0/0
R1(config-if)#service-policy input PM_COPP
Test and Verify Configuration
On a second device (another router or host device such as PC), you can test the control-plane policing by pinging.
R1#show policy-map control-plane
Control Plane
Service-policy input: PM_COPP
Class-map: CM_COPP_IGP (match-all)
18 packets, 2312 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_IGP
police:
cir 300000 bps, bc 60000 bytes, be 60000 bytes
conformed 18 packets, 2312 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_INT_MGMT (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_MGMT
police:
cir 500000 bps, bc 100000 bytes, be 100000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_BGP (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_BGP
police:
cir 4000000 bps, bc 800000 bytes, be 800000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_FILE_MGMT (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_FILE_MGMT
police:
cir 6000000 bps, bc 1200000 bytes, be 1200000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_CRITICAL_APPLICATIONS (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_CRITICAL_APPLICATIONS
police:
cir 900000 bps, bc 180000 bytes, be 180000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_MONITOR (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_MONITOR
police:
cir 90000 bps, bc 18000 bytes, be 10800 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: class-default (match-any)
56 packets, 6556 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
R1#show policy-map
Policy Map PM_COPP
Class CM_COPP_IGP
police cir 300000 bc 60000 be 60000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_INT_MGMT
police cir 500000 bc 100000 be 100000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_BGP
police cir 4000000 bc 800000 be 800000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_FILE_MGMT
police cir 6000000 bc 1200000 be 1200000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_CRITICAL_APPLICATIONS
police cir 900000 bc 180000 be 180000
conform-action transmit
exceed-action drop
violate-action drop
Class CM_COPP_MONITOR
police cir 90000 bc 18000 be 10800
conform-action transmit
exceed-action drop
violate-action drop
Pinging from another Host
R2#ping 30.255.1.1 repeat 500 size 1500
Type escape sequence to abort.
Sending 500, 1500-byte ICMP Echos to 30.255.1.1, timeout is 2 seconds:
!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.
!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!
.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!
!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!
!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!
!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!
!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!
!!!!!!.!!!
Success rate is 93 percent (465/500), round-trip min/avg/max = 1/17/48 ms
CoPP rate-limiting can be observed to have taken effect.
R1#show policy-map control-plane
Control Plane
Service-policy input: PM_COPP
Class-map: CM_COPP_IGP (match-all)
40 packets, 4380 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_IGP
police:
cir 300000 bps, bc 60000 bytes, be 60000 bytes
conformed 40 packets, 4380 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_INT_MGMT (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_MGMT
police:
cir 500000 bps, bc 100000 bytes, be 100000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_BGP (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_BGP
police:
cir 4000000 bps, bc 800000 bytes, be 800000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_FILE_MGMT (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_FILE_MGMT
police:
cir 6000000 bps, bc 1200000 bytes, be 1200000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_CRITICAL_APPLICATIONS (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_CRITICAL_APPLICATIONS
police:
cir 900000 bps, bc 180000 bytes, be 180000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: CM_COPP_MONITOR (match-all)
500 packets, 757000 bytes
5 minute offered rate 11000 bps, drop rate 0000 bps
Match: access-group name ACL_COPP_MONITOR
police:
cir 90000 bps, bc 18000 bytes, be 10800 bytes
conformed 465 packets, 704010 bytes; actions:
transmit
exceeded 35 packets, 52990 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 10000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: class-default (match-any)
135 packets, 13264 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
R1#
Troubleshooting Control-Plane Policing
Troubleshooting control plane policing requires troubleshooting of the various components of CoPP i.e., access control lists, class maps, policy maps and service policies. When troubleshooting CoPP, consider;
ACLs
When troubleshooting ACLs for CoPP, focus on the following;
- Verify correct source and destination addresses, protocols,
port number, action (permit | deny):
show access-list - Grouping: if grouping traffic types, ensure that they are grouped based on function; e.g. routing protocols (BGP, OSPF, EIGRP), management protocols (SSH, TELNET, HTTP(S), TFTP, SNMP, DNS, NTP).
- Action: with CoPP, a permit action in an ACL means match the traffic and apply the policy. Deny means exclude the traffic from the class and move on to the next class.
- Protocol: If the wrong protocol is specified in the ACL, the wrong type of traffic will be matched.
- Source and destination: the correct source and destination ACLs should
be applied. During troubleshooting, change IP address to
anyto see the effect. - Operators and Ports: Ensure correct ACL operator and port numbers are defined.
- Avoid log and log-input ACL keywords for CoPP due to unexpected results in CoPP functionality.
Class Maps
- Watch-out for the
match-allandmatch-anycommands. - Verify that the class-map is configured correctly
show class-map. Verify correct instructions (match-any, match-all), correct ACL, protocol,IP prec, DSCP.
Policy Maps
When troubleshooting policy maps, consider;
- Verify that the service policy is applied in the correct direction:
show policy-map control-plane. - Verify that the policy-map is correctly configured;
show policy-map - Check the correct class-map, rate or CIR, conform-action, exceed-action,correct order.
- Order of operations: classes defined are processed from top to down.
- Class-map: has the correct class-map been configured correctly.
- Policy: Ensure the correct CIR in bps and rate in pps have been
configured. In some IOS versions, if traffic that matches a class is to be dropped,
replace police command with
dropkeyword. - Default-class: if traffic does not match any defined class, it will be subjected to conditions laid out in the default class.
- Case: class names are case sensitive.
Service Policy
When troubleshooting the application of a service policy;
- Correct interface: service policy can be applied only to one interface,
the control-plane. If applying to a physical interface, ensure that the service
policy is configured on the correct interface. Confirm with
show policy-map interface <interface-name> - Direction: input for incoming packets. Confirm direction with;
show policy-map control-plane. Not all IOS versions support output. For routing protocols, output CoPP would be for replies to queries / requests or ACKs. For ICMP; error or informational reply, for telnet, SSH, HTTP, SNMP replies or traps. Ensure the ACL and class-map are configured appropriately for replies. - Case: Policy maps are case-sensitive; verify with
show policy-map control-plane.
