Control Plane Policing

Control Plane Policing helps regulate the flow of control packets to a local processor.

A packet that is processed by an ASIC in a device can have different destinations in the device. A packet can exit the switch from its front-end ports (the data path) or it can enter the local processor for further processing (the control path).

Control packets such as SSH, ICMP, Telnet, ARP, and BGP are handled by the local processor. These control packets are matched either as exact match or prefix match with address fields. A decision whether to trap to local processor is configured in the control classifier engine in the ASIC. The control packets can be trapped to the local processor at the highest rate the software module expects to handle. The rest of the packets are dropped.

Each type of control packet has a different level of significance in software modules. Some protocols are critical for operations and maintenance, some are intolerant to latency, and others are intolerant to packet loss. Over-subscription of the control path is a typical problem and it needs regulated policing. Rogue packets from events (malicious and non-malicious) can overwhelm processor resources and bring down critical operations on the processors. Therefore, it is essential to regulate the flow of control plane packets based on control packet type.

Control Plane Policing (CoPP) helps regulate the flow of control packets to the local processor at a predefined rate, up to and including discarding the packets. The control plane handles various types of flows:

SLX-OS allows for pattern matching using a variety of packet fields and signatures in flows sent toward the control plane and uses pattern matching engines to trap traffic toward the CPU. CoPP extends the action with components that offer policing, metering, and denial to throttle or drop the pattern-matched control packets. CoPP allows individual flows to be controlled at a granular level according to your needs.