Control Plane Policing

Information

Control Plane Policing (CoPP) prevents flooding of certain types of packets from overloading the switch or module CPU by either rate-limiting or dropping packets. The switch software provides a number of default classes of packets that can be rate-limited, including (but not limited to) ARP broadcasts, multicast, routing protocols (BGP,OSPF), and spanning tree.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Administrators may create up to 32 custom CoPP policies, though only one can be active at any given time. The following commands demonstrate the creation of a simple custom CoPP policy, and how it is applied to the switch:

switch(config)# copp-policy copp_example
switch(config-copp)# class arp-broadcast priority 2 rate 1000 burst 1000
switch(config-copp)# class unknown-multicast priority 2 rate 1000 burst 1000
switch(config-copp)# class unresolved-ip-unicast priority 2 rate 1000 burst 1000
switch(config-copp)# default-class priority 1 rate 3000 burst 3000
switch(config-copp)# exit
switch(config)# apply copp-policy copp_example

To remove a custom CoPP policy from service and automatically apply the default profile:

switch(config)# no apply copp-policy copp_example

At least one CoPP policy must be active on the device at all times. An active custom CoPP policy cannot be deleted; it must first be removed from service using the above command.

See Also

https://support.hpe.com/hpesc/public/docDisplay?docId=a00053695en_us

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: ArubaOS

Control ID: 263bc6f738a49ed6009aa702b33699074e23d2b1071930b70c71811e4a09abd8