Configuration Example
Networking Requirements
In order to protect switch CPU from attacks and being overloaded by control plane packets, maintaining data forwarding and network topology stability, configure different CoPP policy for flows of different control plane protocols: SSH, NTP, TFTP and SLOW.
Procedure
Step1 Configure CoPP queue mapping, scheduling weight, scheduling algorithm and queue shaping.
admin@Xorplus# set class-of-service scheduler copp-scheduler180 mode WRR admin@Xorplus# set class-of-service scheduler copp-scheduler180 max-bandwidth-pps 180 admin@Xorplus# set class-of-service scheduler copp-scheduler180 min-bandwidth-pps 0 admin@Xorplus# set class-of-service scheduler copp-scheduler180 weight 5 admin@Xorplus# set class-of-service scheduler-profile copp-profile forwarding-class copp-class1 scheduler copp-scheduler180 admin@Xorplus# set class-of-service scheduler-profile copp-profile forwarding-class copp-class2 scheduler copp-scheduler180 admin@Xorplus# set class-of-service scheduler copp-scheduler200 mode WRR admin@Xorplus# set class-of-service scheduler copp-scheduler200 max-bandwidth-pps 200 admin@Xorplus# set class-of-service scheduler copp-scheduler200 min-bandwidth-pps 0 admin@Xorplus# set class-of-service scheduler copp-scheduler200 weight 10 admin@Xorplus# set class-of-service scheduler-profile copp-profile forwarding-class copp-class3 scheduler copp-scheduler200 admin@Xorplus# set class-of-service scheduler copp-scheduler300 mode WRR admin@Xorplus# set class-of-service scheduler copp-scheduler300 max-bandwidth-pps 300 admin@Xorplus# set class-of-service scheduler copp-scheduler300 min-bandwidth-pps 0 admin@Xorplus# set class-of-service scheduler copp-scheduler300 weight 20 admin@Xorplus# set class-of-service scheduler-profile copp-profile forwarding-class copp-class4 scheduler copp-scheduler300
#Configure a policer 50pps.
admin@Xorplus# set firewall policer 50pps if-exceeding rate-limit 50 admin@Xorplus# set firewall policer 50pps if-exceeding burst-limit 50
#Configure mapping between forwarding class and local priority.
admin@Xorplus# set class-of-service forwarding-class copp-class1 local-priority 1 admin@Xorplus# set class-of-service forwarding-class copp-class2 local-priority 2 admin@Xorplus# set class-of-service forwarding-class copp-class3 local-priority 3 admin@Xorplus# set class-of-service forwarding-class copp-class4 local-priority 4
Step2 Configure destination-port and protocol to classify SSH flow, and mapping to forwarding class copp-class3.
admin@Xorplus# set firewall filter copp sequence 83 then action forward admin@Xorplus# set firewall filter copp sequence 83 from destination-port 22 admin@Xorplus# set firewall filter copp sequence 83 from protocol tcp admin@Xorplus# set firewall filter copp sequence 83 then forwarding-class copp-class3 admin@Xorplus# set firewall filter copp sequence 83 then policer 50pps admin@Xorplus# set firewall filter copp sequence 84 then action forward admin@Xorplus# set firewall filter copp sequence 84 from source-port 22 admin@Xorplus# set firewall filter copp sequence 84 from protocol tcp admin@Xorplus# set firewall filter copp sequence 84 then forwarding-class copp-class3 admin@Xorplus# set firewall filter copp sequence 84 then policer 50pps
Step3 Configure destination-port, protocol and ether-type to classify NTP (Network Time Protocol) flow, and mapping to forwarding class copp-class1.
admin@Xorplus# set firewall filter copp sequence 91 then action forward admin@Xorplus# set firewall filter copp sequence 91 from destination-port 123 admin@Xorplus# set firewall filter copp sequence 91 from protocol udp admin@Xorplus# set firewall filter copp sequence 91 then forwarding-class copp-class1 admin@Xorplus# set firewall filter copp sequence 92 then action forward admin@Xorplus# set firewall filter copp sequence 92 from destination-port 123 admin@Xorplus# set firewall filter copp sequence 92 from ether-type 34525 admin@Xorplus# set firewall filter copp sequence 92 from protocol udp admin@Xorplus# set firewall filter copp sequence 92 then forwarding-class copp-class1
Step4 Configure destination-port, protocol and ether-type to classify TFTP flow, and mapping to forwarding class copp-class2.
admin@Xorplus# set firewall filter copp sequence 108 then action forward admin@Xorplus# set firewall filter copp sequence 108 from destination-port 69 admin@Xorplus# set firewall filter copp sequence 108 from protocol udp admin@Xorplus# set firewall filter copp sequence 108 then forwarding-class copp-class2 admin@Xorplus# set firewall filter copp sequence 109 then action forward admin@Xorplus# set firewall filter copp sequence 109 from source-port 69 admin@Xorplus# set firewall filter copp sequence 109 from protocol udp admin@Xorplus# set firewall filter copp sequence 109 then forwarding-class copp-class2
Step5 Configure destination-mac-address and ether-type to classify SLOW flow, and mapping to forwarding class copp-class4.
admin@Xorplus# set firewall filter copp sequence 111 then action forward admin@Xorplus# set firewall filter copp sequence 111 from destination-mac-address 01:80:C2:00:00:02 admin@Xorplus# set firewall filter copp sequence 111 from ether-type 34825 admin@Xorplus# set firewall filter copp sequence 111 then forwarding-class copp-class4
Step6 Commit the configuration.
admin@XorPlus# commit
Verify the Configuration
- You can use the run show copp bandwidth command to view the bandwidth information, scheduling information and local priority of the forwarding class.
admin@Xorplus# run show copp bandwidth Forwarding Class Min-Bandwidth Max-Bandwidth Weight Local-Priority Schedule-Mode default-class 0 100 24 0 WRR copp-class1 0 180 5 1 WRR copp-class2 0 180 5 2 WRR copp-class3 0 200 10 3 WRR copp-class4 0 300 20 4 WRR pim-class 0 80 16 8 WRR igmp-class 0 80 16 9 WRR vrrp-class 0 80 16 10 WRR dhcp-class 0 80 16 11 WRR rip-class 0 80 16 12 WRR ospf-class 0 80 16 13 WRR bgp-class 0 80 16 14 WRR mlag-mac-sync-class 0 80 16 15 WRR mlag-class 0 80 16 16 WRR bfd-class 0 80 16 17 WRR arp-class 20 80 32 18 WRR arp-class 20 80 32 19 WRR lldp-class 20 80 32 20 WRR lacp-class 20 80 32 21 WRR bpdu-class 20 80 32 22 WRR management-class 20 80 12 23 WRR mvrp-class 100 500 32 24 WRR erps-class 100 500 32 25 WRR ripng-class 0 500 16 26 WRR
- You can use the run show filter copp command to view the configuration information of all CoPP policies, both pre-defined and user-defined, and match counter.
admin@Xorplus# run show filter copp Filter: copp Description: Sequence: 10 Description: match counter: 0 packets match-condition: protocol: bpdu action: forward forwarding_class: bpdu-class ...... Sequence: 81 Description: match counter: 0 packets match-condition: destination-port: 23..23 protocol: tcp action: forward forwarding_class: copp-class3 Sequence: 82 Description: match counter: 0 packets match-condition: destination-port: 107..107 protocol: tcp action: forward forwarding_class: copp-class3 policer: 50pps Sequence: 83 Description: match counter: 0 packets match-condition: destination-port: 22..22 protocol: tcp action: forward forwarding_class: copp-class3 policer: 50pps Sequence: 84 Description: match counter: 0 packets match-condition: protocol: tcp source-port: 22..22 action: forward forwarding_class: copp-class3 policer: 50pps Sequence: 90 Description: match counter: 0 packets match-condition: protocol: dhcp action: forward forwarding_class: dhcp-class Sequence: 91 Description: match counter: 0 packets match-condition: destination-port: 123..123 protocol: udp action: forward forwarding_class: copp-class1 Sequence: 92 Description: match counter: 0 packets match-condition: destination-port: 123..123 ether-type: 0x86dd protocol: udp action: forward forwarding_class: copp-class1 Sequence: 100 Description: match counter: 0 packets match-condition: protocol: vrrp action: forward forwarding_class: vrrp-class Sequence: 108 Description: match counter: 0 packets match-condition: destination-port: 69..69 protocol: udp action: forward forwarding_class: copp-class2 Sequence: 109 Description: match counter: 0 packets match-condition: protocol: udp source-port: 69..69 action: forward forwarding_class: copp-class2 Sequence: 110 Description: match counter: 0 packets match-condition: protocol: igmp action: forward forwarding_class: igmp-class Sequence: 111 Description: match counter: 0 packets match-condition: destination-mac-address: 01:80:c2:00:00:02 ether-type: 0x8809 action: forward forwarding_class: copp-class4 ...... Input interface: inbound-control-plane
- You can use the run show class-of-service interface inbound-control-plane command to view the detail configuration information of CoPP profile.
admin@Xorplus# run show class-of-service interface inbound-control-plane Interface : inbound-control-plane Scheduler-profile : copp-profile Forwarding-class Local-priority Scheduler Min-Bandwidth Max-Bandwidth Weight Schedule-Mode ------------------ -------------- --------------------- ------------- ------------- ------ ------------- default-class 0 default-scheduler 0 80 8 WRR pim-class 8 pim-scheduler 0 80 16 WRR igmp-class 9 igmp-scheduler 0 80 16 WRR vrrp-class 10 vrrp-scheduler 0 80 16 WRR dhcp-class 11 dhcp-scheduler 0 80 16 WRR rip-class 12 rip-scheduler 0 80 16 WRR ospf-class 13 ospf-scheduler 0 80 16 WRR bgp-class 14 bgp-scheduler 0 80 16 WRR mlag-mac-sync-class 15 mlag-mac-sync-scheduler 0 80 16 WRR mlag-class 16 mlag-scheduler 0 80 16 WRR bfd-class 17 bfd-scheduler 0 80 16 WRR ndp-class 18 arp-scheduler 20 80 32 WRR arp-class 19 arp-scheduler 20 80 32 WRR lldp-class 20 lldp-scheduler 20 80 32 WRR lacp-class 21 lacp-scheduler 20 80 32 WRR bpdu-class 22 bpdu-scheduler 20 80 32 WRR management-class 23 management-scheduler 20 80 12 WRR mvrp-class 24 mvrp-scheduler 20 80 32 WRR erps-class 25 erps-scheduler 20 80 32 WRR ripng-class 26 ripng-scheduler 0 80 16 WRR
- You can use the run show copp statistics command to view the statistics information of the forwarding class, including input and dropped packets and rate.
admin@Xorplus# run show copp statistics All Copp Traffic statistics: Input rate 272 bits/sec, 0 packets/sec Input Packets............................1 Input Octets.............................153 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 arp-class Traffic statistics: forwarding-class state: inactive Input rate 0 bits/sec, 0 packets/sec Input Packets............................0 Input Octets.............................0 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 copp-class1 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................0 Input Octets.............................0 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 copp-class2 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................0 Input Octets.............................0 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 copp-class3 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................106293 Input Octets.............................19345326 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 copp-class4 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................0 Input Octets.............................0 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 ......
- You can use the run show copp statistics active command to view the statistics information of the forwarding class, state of which is active.
admin@Xorplus# run show copp statistics active All Copp Traffic statistics: Input rate 272 bits/sec, 0 packets/sec Input Packets............................1 Input Octets.............................153 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 copp-class1 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................0 Input Octets.............................0 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 copp-class2 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................0 Input Octets.............................0 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 copp-class3 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................106293 Input Octets.............................19345326 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0 copp-class4 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................0 Input Octets.............................0 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0
- You can use the run show copp statistics forwarding-class command to view the statistics information of the specified forwarding class.
admin@Xorplus# run show copp statistics forwarding-class copp-class1 copp-class1 Traffic statistics: forwarding-class state: active Input rate 0 bits/sec, 0 packets/sec Input Packets............................0 Input Octets.............................0 Drop rate 0 bits/sec, 0 packets/sec Drop Packets.............................0 Drop Octets..............................0
- You can use the run show interface stm command to view the total STM resources that are available and how many STM entries are in use. The item number of firewall egress tables is used for describing STM resources of CoPP. By default, the value of number of firewall egress tables in Stm resource in use: is 21 as have been used by the default CoPP configurations.
admin@Xorplus# run show interface stm Total stm resource: Share-mode: 5 number of host routes: 32768 number of mac unicast addresses: 32768 number of firewall ingress tables: 896 number of firewall egress tables: 510 number of IPv4 unicast routes: 5000 number of IPv6 unicast routes: 500 Stm resource in use: number of firewall ingress tables: 2 number of firewall egress tables: 29
- You can use the run clear copp statistics command to clear the past statistics information of CoPP policy.
admin@Xorplus# run clear copp statistics admin@Xorplus# commit
Copyright © 2024 Pica8 Inc. All Rights Reserved.