Several commands can help you configure, safeguard, and troubleshoot Control Plane Policing.
|
Command |
How to use for CoPP |
|---|---|
|
ip icmp-fragment enable |
Drop ICMP fragment packets before they are used by hackers for Denial of Service (DoS) attacks. |
|
ip option disable |
Discard IP packets with options before hackers send such packets to initiate DoS attacks. |
|
ip access-list extended class-map match access-group policy-map |
Configure rate limiting actions. For more information, see CoPP Rate Limiting. |
|
ip access-list extended ip receive access-group ipv6 access-list extended ipv6 receive access-group |
Permit or deny unicast and multicast control packets. For more information, see CoPP Discard and Permit for Control Packets. |
|
Command |
How to use for CoPP |
|---|---|
|
show access-list receive |
See the configuration for permit and deny rules for control plan protection. |
|
show statistics access-list |
See statistics for packets that meet the permit and deny rules configured for control plane protection. |
|
show policy-map control-plane |
See the configuration of the policy map attached to a control plane interface. |
|
show interface ethernet inc rate |
See whether the control plane is receiving packets at the configured rate. |
|
show qos cpu info show qos cpu cfg |
CPU ports that allow packets into the control plane have limited bandwidth. View the maximum CPU rates and weighted fair queue values for the various VOQ groups. |