Information
Control Plane Policing (CoPP)-available on the 5400R (v3-only mode), 3810M, and 2930 switch platforms-prevents flooding of certain types of packets from overloading the switch or module CPU by either rate-limiting or dropping packets. The switch software provides a number of default classes of packets that can be rate-limited, including broadcasts, MAC notifications, routing protocols (BGP, OSPF, RIP), and spanning tree protocols (MSTP and PVST).
To enable CoPP using all pre-defined traffic classes and their default rate limits:
switch(config)# copp traffic-class all limit default
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Users can also create up to 8 custom CoPP traffic classes that may either rate-limit or drop packets based on destination IPv4/IPv6 address and/or TCP or UDP port.
This example limits SNMP traffic entering the switch, regardless of destination IP address, to a maximum of 80 packets per second:
switch(config)# copp user-def 1 ipv4 any udp 161 limit 80
With this CoPP class configured, SNMP packets entering the switch in excess of the allowed 80 per second are dropped.
This second example causes all Telnet packets entering the switch to be dropped:
switch(config)# copp user-def 2 ipv4 any tcp 23 drop