Information
Control Plane Policing (CoPP) prevents flooding of certain types of packets from overloading the switch or module CPU by either rate-limiting or dropping packets. The switch software provides a number of default classes of packets that can be rate-limited, including (but not limited to) ARP broadcasts, multicast, routing protocols (BGP,OSPF), and spanning tree.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Administrators may create up to 32 custom CoPP policies, though only one can be active at any given time. The following commands demonstrate the creation of a simple custom CoPP policy, and how it is applied to the switch:
switch(config)# copp-policy copp_example
switch(config-copp)# class arp-broadcast priority 2 rate 1000 burst 1000
switch(config-copp)# class unknown-multicast priority 2 rate 1000 burst 1000
switch(config-copp)# class unresolved-ip-unicast priority 2 rate 1000 burst 1000
switch(config-copp)# default-class priority 1 rate 3000 burst 3000
switch(config-copp)# exit
switch(config)# apply copp-policy copp_example
To remove a custom CoPP policy from service and automatically apply the default profile:
switch(config)# no apply copp-policy copp_example
At least one CoPP policy must be active on the device at all times. An active custom CoPP policy cannot be deleted; it must first be removed from service using the above command.