CoPP and the Management Interface
The Cisco NX-OS device supports only hardware-based CoPP, which does not support the management
interface (mgmt0). The out-of-band mgmt0 interface connects directly to the CPU and does not pass through
the in-band traffic hardware where CoPP is implemented.
On the mgmt0 interface, ACLs can be configured to give or deny access to a particular type of traffic.
Related Topics
Licensing Requirements for CoPP
The following table shows the licensing requirements for this feature:
License Requirement
Product
CoPP requires no license. Any feature not included
in a license package is bundled with the nx-os image
and is provided at no extra charge to you. For an
explanation of the Cisco NX-OS licensing scheme,
see the
Cisco NX-OS Licensing Guide
.
Cisco NX-OS
Guidelines and Limitations for CoPP
CoPP has the following configuration guidelines and limitations:
• We recommend that you use the strict default CoPP policy initially and then later modify the CoPP
policies based on the data center and application requirements.
• Customizing CoPP is an ongoing process. CoPP must be configured according to the protocols and
features used in your specific environment as well as the supervisor features that are required by the
server environment. As these protocols and features change, CoPP must be modified.
• We recommend that you continuously monitor CoPP. If drops occur, determine if CoPP dropped traffic
unintentionally or in response to a malfunction or attack. In either event, analyze the situation and evaluate
the need to modify the CoPP policies.
• All the traffic that you do not specify in the other class maps is put into the last class, the default class.
Monitor the drops in this class and investigate if these drops are based on traffic that you do not want or
the result of a feature that was not configured and you need to add.
• All broadcast traffic is sent through CoPP logic in order to determine which packets (for example, ARP
and DHCP) need to be redirected through an access control list (ACL) to the router processor. Broadcast
traffic that does not need to be redirected is matched against the CoPP logic, and both conforming and
violated packets are counted in the hardware but not sent to the CPU. Broadcast traffic that needs to be
sent to the CPU and broadcast traffic that does not need to be sent to the CPU must be separated into
different classes.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
470
Configuring Control Plane Policing
CoPP and the Management Interface