Configuration Example
Networking Requirements
In order to protect switch CPU from attacks and being overloaded by control plane packets, maintaining data forwarding and network topology stability, configure different CoPP policy for flows of different control plane protocols: SSH, NTP, TFTP and SLOW.
Procedure
Step1 Configure CoPP queue mapping, scheduling weight, scheduling algorithm and queue shaping.
admin@Xorplus# set class-of-service scheduler copp-scheduler180 mode WRR
admin@Xorplus# set class-of-service scheduler copp-scheduler180 max-bandwidth-pps 180
admin@Xorplus# set class-of-service scheduler copp-scheduler180 min-bandwidth-pps 0
admin@Xorplus# set class-of-service scheduler copp-scheduler180 weight 5
admin@Xorplus# set class-of-service scheduler-profile copp-profile forwarding-class copp-class1 scheduler copp-scheduler180
admin@Xorplus# set class-of-service scheduler-profile copp-profile forwarding-class copp-class2 scheduler copp-scheduler180
admin@Xorplus# set class-of-service scheduler copp-scheduler200 mode WRR
admin@Xorplus# set class-of-service scheduler copp-scheduler200 max-bandwidth-pps 200
admin@Xorplus# set class-of-service scheduler copp-scheduler200 min-bandwidth-pps 0
admin@Xorplus# set class-of-service scheduler copp-scheduler200 weight 10
admin@Xorplus# set class-of-service scheduler-profile copp-profile forwarding-class copp-class3 scheduler copp-scheduler200
admin@Xorplus# set class-of-service scheduler copp-scheduler300 mode WRR
admin@Xorplus# set class-of-service scheduler copp-scheduler300 max-bandwidth-pps 300
admin@Xorplus# set class-of-service scheduler copp-scheduler300 min-bandwidth-pps 0
admin@Xorplus# set class-of-service scheduler copp-scheduler300 weight 20
admin@Xorplus# set class-of-service scheduler-profile copp-profile forwarding-class copp-class4 scheduler copp-scheduler300#Configure a policer 50pps.
admin@Xorplus# set firewall policer 50pps if-exceeding rate-limit 50
admin@Xorplus# set firewall policer 50pps if-exceeding burst-limit 50#Configure mapping between forwarding class and local priority.
admin@Xorplus# set class-of-service forwarding-class copp-class1 local-priority 1
admin@Xorplus# set class-of-service forwarding-class copp-class2 local-priority 2
admin@Xorplus# set class-of-service forwarding-class copp-class3 local-priority 3
admin@Xorplus# set class-of-service forwarding-class copp-class4 local-priority 4Step2 Configure destination-port and protocol to classify SSH flow, and mapping to forwarding class copp-class3.
admin@Xorplus# set firewall filter copp sequence 83 from destination-port 22
admin@Xorplus# set firewall filter copp sequence 83 from protocol tcp
admin@Xorplus# set firewall filter copp sequence 83 then forwarding-class copp-class3
admin@Xorplus# set firewall filter copp sequence 83 then policer 50pps
admin@Xorplus# set firewall filter copp sequence 84 from source-port 22
admin@Xorplus# set firewall filter copp sequence 84 from protocol tcp
admin@Xorplus# set firewall filter copp sequence 84 then forwarding-class copp-class3
admin@Xorplus# set firewall filter copp sequence 84 then policer 50pps Step3 Configure destination-port, protocol and ether-type to classify NTP (Network Time Protocol) flow, and mapping to forwarding class copp-class1.
admin@Xorplus# set firewall filter copp sequence 91 from destination-port 123
admin@Xorplus# set firewall filter copp sequence 91 from protocol udp
admin@Xorplus# set firewall filter copp sequence 91 then forwarding-class copp-class1
admin@Xorplus# set firewall filter copp sequence 92 from destination-port 123
admin@Xorplus# set firewall filter copp sequence 92 from ether-type 34525
admin@Xorplus# set firewall filter copp sequence 92 from protocol udp
admin@Xorplus# set firewall filter copp sequence 92 then forwarding-class copp-class1Step4 Configure destination-port, protocol and ether-type to classify TFTP flow, and mapping to forwarding class copp-class2.
admin@Xorplus# set firewall filter copp sequence 108 from destination-port 69
admin@Xorplus# set firewall filter copp sequence 108 from protocol udp
admin@Xorplus# set firewall filter copp sequence 108 then forwarding-class copp-class2
admin@Xorplus# set firewall filter copp sequence 109 from source-port 69
admin@Xorplus# set firewall filter copp sequence 109 from protocol udp
admin@Xorplus# set firewall filter copp sequence 109 then forwarding-class copp-class2Step5 Configure destination-mac-address and ether-type to classify SLOW flow, and mapping to forwarding class copp-class4.
admin@Xorplus# set firewall filter copp sequence 111 from destination-mac-address 01:80:C2:00:00:02
admin@Xorplus# set firewall filter copp sequence 111 from ether-type 34825
admin@Xorplus# set firewall filter copp sequence 111 then forwarding-class copp-class4Step6 Commit the configuration.
admin@XorPlus# commitVerify the Configuration
You can use the run show copp bandwidth command to view the bandwidth information, scheduling information and local priority of the forwarding class.
admin@Xorplus# run show copp bandwidth
Forwarding Class Min-Bandwidth Max-Bandwidth Weight Local-Priority Schedule-Mode
default-class 0 100 24 0 WRR
copp-class1 0 180 5 1 WRR
copp-class2 0 180 5 2 WRR
copp-class3 0 200 10 3 WRR
copp-class4 0 300 20 4 WRR
pim-class 0 80 16 8 WRR
igmp-class 0 80 16 9 WRR
vrrp-class 0 80 16 10 WRR
dhcp-class 0 80 16 11 WRR
rip-class 0 80 16 12 WRR
ospf-class 0 80 16 13 WRR
bgp-class 0 80 16 14 WRR
mlag-mac-sync-class 0 80 16 15 WRR
mlag-class 0 80 16 16 WRR
bfd-class 0 80 16 17 WRR
arp-class 20 80 32 18 WRR
arp-class 20 80 32 19 WRR
lldp-class 20 80 32 20 WRR
lacp-class 20 80 32 21 WRR
bpdu-class 20 80 32 22 WRR
management-class 20 80 12 23 WRR
mvrp-class 100 500 32 24 WRR
erps-class 100 500 32 25 WRR
ripng-class 0 500 16 26 WRR You can use the run show filter copp command to view the configuration information of all CoPP policies, both pre-defined and user-defined, and match counter.
admin@Xorplus# run show filter copp
Filter: copp
Description:
Sequence: 10
Description:
match counter: 0 packets
match-condition:
protocol: bpdu
action: forward
forwarding_class: bpdu-class
......
Sequence: 81
Description:
match counter: 0 packets
match-condition:
destination-port: 23..23
protocol: tcp
action: forward
forwarding_class: copp-class3
Sequence: 82
Description:
match counter: 0 packets
match-condition:
destination-port: 107..107
protocol: tcp
action: forward
forwarding_class: copp-class3
policer: 50pps
Sequence: 83
Description:
match counter: 0 packets
match-condition:
destination-port: 22..22
protocol: tcp
action: forward
forwarding_class: copp-class3
policer: 50pps
Sequence: 84
Description:
match counter: 0 packets
match-condition:
protocol: tcp
source-port: 22..22
action: forward
forwarding_class: copp-class3
policer: 50pps
Sequence: 90
Description:
match counter: 0 packets
match-condition:
protocol: dhcp
action: forward
forwarding_class: dhcp-class
Sequence: 91
Description:
match counter: 0 packets
match-condition:
destination-port: 123..123
protocol: udp
action: forward
forwarding_class: copp-class1
Sequence: 92
Description:
match counter: 0 packets
match-condition:
destination-port: 123..123
ether-type: 0x86dd
protocol: udp
action: forward
forwarding_class: copp-class1
Sequence: 100
Description:
match counter: 0 packets
match-condition:
protocol: vrrp
action: forward
forwarding_class: vrrp-class
Sequence: 108
Description:
match counter: 0 packets
match-condition:
destination-port: 69..69
protocol: udp
action: forward
forwarding_class: copp-class2
Sequence: 109
Description:
match counter: 0 packets
match-condition:
protocol: udp
source-port: 69..69
action: forward
forwarding_class: copp-class2
Sequence: 110
Description:
match counter: 0 packets
match-condition:
protocol: igmp
action: forward
forwarding_class: igmp-class
Sequence: 111
Description:
match counter: 0 packets
match-condition:
destination-mac-address: 01:80:c2:00:00:02
ether-type: 0x8809
action: forward
forwarding_class: copp-class4
......
Input interface: inbound-control-planeYou can use the run show class-of-service interface inbound-control-plane command to view the detail configuration information of CoPP profile.
admin@Xorplus# run show class-of-service interface inbound-control-plane
Interface : inbound-control-plane
Scheduler-profile : copp-profile
Forwarding-class Local-priority Scheduler Min-Bandwidth Max-Bandwidth Weight Schedule-Mode
------------------ -------------- --------------------- ------------- ------------- ------ -------------
default-class 0 default-scheduler 0 80 8 WRR
pim-class 8 pim-scheduler 0 80 16 WRR
igmp-class 9 igmp-scheduler 0 80 16 WRR
vrrp-class 10 vrrp-scheduler 0 80 16 WRR
dhcp-class 11 dhcp-scheduler 0 80 16 WRR
rip-class 12 rip-scheduler 0 80 16 WRR
ospf-class 13 ospf-scheduler 0 80 16 WRR
bgp-class 14 bgp-scheduler 0 80 16 WRR
mlag-mac-sync-class 15 mlag-mac-sync-scheduler 0 80 16 WRR
mlag-class 16 mlag-scheduler 0 80 16 WRR
bfd-class 17 bfd-scheduler 0 80 16 WRR
ndp-class 18 arp-scheduler 20 80 32 WRR
arp-class 19 arp-scheduler 20 80 32 WRR
lldp-class 20 lldp-scheduler 20 80 32 WRR
lacp-class 21 lacp-scheduler 20 80 32 WRR
bpdu-class 22 bpdu-scheduler 20 80 32 WRR
management-class 23 management-scheduler 20 80 12 WRR
mvrp-class 24 mvrp-scheduler 20 80 32 WRR
erps-class 25 erps-scheduler 20 80 32 WRR
ripng-class 26 ripng-scheduler 0 80 16 WRR You can use the run show copp statistics command to view the statistics information of the forwarding class, including input and dropped packets and rate.
admin@Xorplus# run show copp statistics
All Copp Traffic statistics:
Input rate 272 bits/sec, 0 packets/sec
Input Packets............................1
Input Octets.............................153
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
arp-class Traffic statistics:
forwarding-class state: inactive
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................0
Input Octets.............................0
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
copp-class1 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................0
Input Octets.............................0
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
copp-class2 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................0
Input Octets.............................0
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
copp-class3 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................106293
Input Octets.............................19345326
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
copp-class4 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................0
Input Octets.............................0
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
......You can use the run show copp statistics active command to view the statistics information of the forwarding class, state of which is active.
admin@Xorplus# run show copp statistics active
All Copp Traffic statistics:
Input rate 272 bits/sec, 0 packets/sec
Input Packets............................1
Input Octets.............................153
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
copp-class1 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................0
Input Octets.............................0
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
copp-class2 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................0
Input Octets.............................0
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
copp-class3 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................106293
Input Octets.............................19345326
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0
copp-class4 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................0
Input Octets.............................0
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0You can use the run show copp statistics forwarding-class command to view the statistics information of the specified forwarding class.
admin@Xorplus# run show copp statistics forwarding-class copp-class1
copp-class1 Traffic statistics:
forwarding-class state: active
Input rate 0 bits/sec, 0 packets/sec
Input Packets............................0
Input Octets.............................0
Drop rate 0 bits/sec, 0 packets/sec
Drop Packets.............................0
Drop Octets..............................0You can use the run show interface stm command to view the total STM resources that are available and how many STM entries are in use. The item number of firewall egress tables is used for describing STM resources of CoPP. By default, the value of number of firewall egress tables in Stm resource in use: is 21 as have been used by the default CoPP configurations.
admin@Xorplus# run show interface stm
Total stm resource:
Share-mode: 5
number of host routes: 32768
number of mac unicast addresses: 32768
number of firewall ingress tables: 896
number of firewall egress tables: 510
number of IPv4 unicast routes: 5000
number of IPv6 unicast routes: 500
Stm resource in use:
number of firewall ingress tables: 2
number of firewall egress tables: 29You can use the run clear copp statistics command to clear the past statistics information of CoPP policy.
admin@Xorplus# run clear copp statistics
admin@Xorplus# commitCopyright © 2025 Pica8 Inc. All Rights Reserved.