Cisco Nexus Switch Functional Planes
The Cisco Nexus switch by design divides the traffic it manages into three functional components or planes:
- Data plane: Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.
- Control plane: Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.
- Management plane: Runs the components meant for Cisco NX-OS device management purposes, such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP).
The Cisco NX-OS device provides control plane policing (CoPP), which protects the control plane and separates it from the data plane, thus ensuring network stability, reachability, and packet delivery. The CoPP feature allows a policy map to be applied to the control plane. This policy map looks like a normal quality of service (QoS) policy and is applied to all traffic entering the switch from a non-management port.
The Cisco Nexus switch supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption to or attacks against the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. To protect the control plane, the Cisco NX-OS device segregates different packets destined for the control plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets, which ensures that the supervisor module is not overwhelmed.
The following types of packets can reach the control plane:
- Receive packets: Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category, where packets are sent to multicast addresses used by a router.
- Exception packets: Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set.
- Redirected packets: Packets that are redirected to the supervisor module.
- Glean packets: If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.
All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets. For example, you might want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent to the supervisor module because the IP option is set. You configure packet classifications and rate-controlling policies using class maps and policy maps.
Table 5-1 summarizes the NX-OS CLI commands related to CoPP verification.
Table 5-1 Summary of NX-OS CLI Commands for CoPP Verification
Command | Purpose |
show copp status | Displays the CoPP status, including the last configuration operation and its status |
show copp profile {strict | moderate | lenient | dense} | Displays the details of the CoPP best practice policy, along with the classes and policer values |
show policy-map interface control-plane | Displays the policy values with associated class maps and drops per policy or class map |
show copp diff profile {strict | moderate | lenient | dense} [prior-ver] profile {strict | moderate | lenient | dense} | Displays the difference between two CoPP best practice policies |
Example 5-1 shows the CoPP verification on a standalone Nexus 9000 switch.
Example 5-1 CoPP Verification on a Standalone Nexus 9000 SwitchClick here to view code image
! Reviewing CoPP profile options.
N9K#
show copp profile ?
dense Display dense profile
lenient Display lenient profile
moderate Display moderate profile
strict Display strict profile
! Reviewing CoPP status. In this output N9K is using strict profile for the CoPP.
N9K#
show copp status
Last Config Operation:
copp profile strict
Last Config Operation Timestamp: 13:12:26 UTC Dec 12 2021
Last Config Operation Status: Success
Policy-map attached to the control-plane:
copp-system-p-policy-strict
! Listing the details of the strict CoPP profile.
N9K#
show copp profile strict
ip access-list copp-system-p-acl-auto-rp
permit ip any 224.0.1.39/32
permit ip any 224.0.1.40/32
ip access-list copp-system-p-acl-bgp
permit tcp any gt 1023 any eq bgp
permit tcp any eq bgp any gt 1023
ipv6 access-list copp-system-p-acl-bgp6
permit tcp any gt 1023 any eq bgp
permit tcp any eq bgp any gt 1023
ip access-list copp-system-p-acl-dhcp
permit udp any eq bootpc any
permit udp any neq bootps any eq bootps
ip access-list copp-system-p-acl-dhcp-relay-response
permit udp any eq bootps any
permit udp any any eq bootpc
<output omitted>
! Viewing the statistics that are compiled for the CoPP class-maps.
N9K#
show policy-map interface control-plane
Control Plane
Service-policy input:
copp-system-p-policy-strict
class-map copp-system-p-class-l3uc-data (match-any)
match exception glean
set cos 1
police cir 800 kbps , bc 32000 bytes
module 1 :
transmitted 146 bytes;
5-minute offered rate 0 bytes/sec
conformed 0
peak-rate bytes/sec
dropped 0 bytes;
5-min violate rate 0 byte/sec
violated
0 peak-rate byte/sec
class-map copp-system-p-class-critical (match-any)
match access-group name copp-system-p-acl-bgp
match access-group name copp-system-p-acl-rip
match access-group name copp-system-p-acl-vpc
match access-group name copp-system-p-acl-bgp6
match access-group name copp-system-p-acl-ospf
match access-group name copp-system-p-acl-rip6
match access-group name copp-system-p-acl-eigrp
match access-group name copp-system-p-acl-ospf6
match access-group name copp-system-p-acl-eigrp6
match access-group name copp-system-p-acl-auto-rp
match access-group name copp-system-p-acl-mac-l3-isis
set cos 7
police cir 36000 kbps , bc 1280000 bytes
module 1 :
transmitted 100947782 bytes;
5-minute offered rate 15 bytes/sec
conformed 51
peak-rate bytes/sec
at Wed Dec 22 08:22:02 2021
dropped 0 bytes;
5-min violate rate 0 byte/sec
violated 0
peak-rate byte/sec
<output omitted>
! Filtering the CoPP statistics to obtain an aggregate view of conformed and violated
counters for all the CoPP class-maps.
N9K#
show policy-map interface control-plane | include
class|conform|violated
class-map copp-system-p-class-l3uc-data (match-any)
conformed 0 peak-rate bytes/sec
violated 0 peak-rate byte/sec
class-map copp-system-p-class-critical (match-any)
conformed 51
peak-rate bytes/sec
violated 0
peak-rate byte/sec
class-map copp-system-p-class-important (match-any)
conformed 66 peak-rate bytes/sec
violated 0 peak-rate byte/sec
class-map copp-system-p-class-openflow (match-any)
conformed 0 peak-rate bytes/sec
violated 0 peak-rate byte/sec
class-map copp-system-p-class-multicast-router (match-any)
conformed 19 peak-rate bytes/sec
violated 0 peak-rate byte/sec
class-map copp-system-p-class-multicast-host (match-any)
conformed 0 peak-rate bytes/sec
violated 0 peak-rate byte/sec
<output omitted>
! Comparing CoPP profiles. In this output we are comparing dense and strict CoPP
profiles.
N9K#
show copp diff profile dense profile strict
Prior Profile Doesn’t Exist.
‘+’ Line presents only in profile dense
(ver: 10.2(1)I9(1))
‘-‘ Line presents only in profile strict
(ver: 10.2(1)I9(1))
-policy-map type control-plane copp-system-p-policy-strict
– class copp-system-p-class-l3uc-data
– set cos 1
– police cir 800 kbps bc 32000 bytes conform transmit violate drop
– class copp-system-p-class-critical
– set cos 7
– police cir 36000 kbps bc 1280000 bytes conform transmit violate drop
– class copp-system-p-class-important
– set cos 6
– police cir 2500 kbps bc 1280000 bytes conform transmit violate drop
– class copp-system-p-class-openflow
– set cos 5
– police cir 1000 kbps bc 32000 bytes conform transmit violate drop
– class copp-system-p-class-multicast-router
– set cos 6
– police cir 2600 kbps bc 128000 bytes conform transmit violate drop
<output omitted>