Cisco Nexus Switch Functional Planes – Cisco Switch Virtualization

Cisco Nexus Switch Functional Planes

The Cisco Nexus switch by design divides the traffic it manages into three functional components or planes:

  • Data plane: Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets. These packets are handled by the data plane.
  • Control plane: Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.
  • Management plane: Runs the components meant for Cisco NX-OS device management purposes, such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP).

The Cisco NX-OS device provides control plane policing (CoPP), which protects the control plane and separates it from the data plane, thus ensuring network stability, reachability, and packet delivery. The CoPP feature allows a policy map to be applied to the control plane. This policy map looks like a normal quality of service (QoS) policy and is applied to all traffic entering the switch from a non-management port.

The Cisco Nexus switch supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption to or attacks against the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. To protect the control plane, the Cisco NX-OS device segregates different packets destined for the control plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets, which ensures that the supervisor module is not overwhelmed.

The following types of packets can reach the control plane:

  • Receive packets: Packets that have the destination address of a router. The destination address can be a Layer 2 address (such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category, where packets are sent to multicast addresses used by a router.
  • Exception packets: Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set.
  • Redirected packets: Packets that are redirected to the supervisor module.
  • Glean packets: If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.

All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets. For example, you might want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent to the supervisor module because the IP option is set. You configure packet classifications and rate-controlling policies using class maps and policy maps.

Table 5-1 summarizes the NX-OS CLI commands related to CoPP verification.

  

Table 5-1 Summary of NX-OS CLI Commands for CoPP Verification

Command

Purpose

show copp status

Displays the CoPP status, including the last configuration operation and its status

show copp profile {strict | moderate | lenient | dense}

Displays the details of the CoPP best practice policy, along with the classes and policer values

show policy-map interface control-plane

Displays the policy values with associated class maps and drops per policy or class map

show copp diff profile {strict | moderate
 
| lenient | dense} [prior-ver] profile {strict | moderate | lenient | dense}

Displays the difference between two CoPP best practice policies

Example 5-1 shows the CoPP verification on a standalone Nexus 9000 switch.

Example 5-1 CoPP Verification on a Standalone Nexus 9000 SwitchClick here to view code image
! Reviewing CoPP profile options.
N9K#
show copp profile ?
  dense    Display dense profile
  lenient  Display lenient profile
  moderate Display moderate profile
  strict   Display strict profile

! Reviewing CoPP status. In this output N9K is using strict profile for the CoPP.
N9K#
show copp status
Last Config Operation:
copp profile strict

Last Config Operation Timestamp: 13:12:26 UTC Dec 12 2021
Last Config Operation Status: Success
Policy-map attached to the control-plane:
copp-system-p-policy-strict
! Listing the details of the strict CoPP profile.

N9K#
show copp profile strict
ip access-list copp-system-p-acl-auto-rp
  permit ip any 224.0.1.39/32
  permit ip any 224.0.1.40/32
ip access-list copp-system-p-acl-bgp
  permit tcp any gt 1023 any eq bgp
  permit tcp any eq bgp any gt 1023
ipv6 access-list copp-system-p-acl-bgp6
  permit tcp any gt 1023 any eq bgp
  permit tcp any eq bgp any gt 1023
ip access-list copp-system-p-acl-dhcp
  permit udp any eq bootpc any
  permit udp any neq bootps any eq bootps
ip access-list copp-system-p-acl-dhcp-relay-response
  permit udp any eq bootps any
  permit udp any any eq bootpc
<output omitted>

! Viewing the statistics that are compiled for the CoPP class-maps.

N9K#
show policy-map interface control-plane
Control Plane
  Service-policy input:
copp-system-p-policy-strict
    class-map copp-system-p-class-l3uc-data (match-any)
      match exception glean
      set cos 1
      police cir 800 kbps , bc 32000 bytes
      module 1 :
        transmitted 146 bytes;
        5-minute offered rate 0 bytes/sec

conformed 0
 peak-rate bytes/sec

        dropped 0 bytes;
        5-min violate rate 0 byte/sec

violated
 0 peak-rate byte/sec

    class-map copp-system-p-class-critical (match-any)
      match access-group name copp-system-p-acl-bgp
      match access-group name copp-system-p-acl-rip
      match access-group name copp-system-p-acl-vpc
      match access-group name copp-system-p-acl-bgp6
      match access-group name copp-system-p-acl-ospf
      match access-group name copp-system-p-acl-rip6
      match access-group name copp-system-p-acl-eigrp
      match access-group name copp-system-p-acl-ospf6
      match access-group name copp-system-p-acl-eigrp6
      match access-group name copp-system-p-acl-auto-rp
      match access-group name copp-system-p-acl-mac-l3-isis
      set cos 7
      police cir 36000 kbps , bc 1280000 bytes
      module 1 :
        transmitted 100947782 bytes;
        5-minute offered rate 15 bytes/sec

conformed 51
 peak-rate bytes/sec
          at Wed Dec 22 08:22:02 2021

        dropped 0 bytes;
        5-min violate rate 0 byte/sec

violated 0
 peak-rate byte/sec
<output omitted>

! Filtering the CoPP statistics to obtain an aggregate view of conformed and violated
counters for all the CoPP class-maps.

N9K#
show policy-map interface control-plane | include

class|conform|violated
    class-map copp-system-p-class-l3uc-data (match-any)
        conformed 0 peak-rate bytes/sec
        violated 0 peak-rate byte/sec
    class-map copp-system-p-class-critical (match-any)

conformed 51
 peak-rate bytes/sec
violated 0
 peak-rate byte/sec
    class-map copp-system-p-class-important (match-any)
        conformed 66 peak-rate bytes/sec
        violated 0 peak-rate byte/sec
    class-map copp-system-p-class-openflow (match-any)
        conformed 0 peak-rate bytes/sec
        violated 0 peak-rate byte/sec
    class-map copp-system-p-class-multicast-router (match-any)
        conformed 19 peak-rate bytes/sec
        violated 0 peak-rate byte/sec
    class-map copp-system-p-class-multicast-host (match-any)
        conformed 0 peak-rate bytes/sec
        violated 0 peak-rate byte/sec
<output omitted>

! Comparing CoPP profiles. In this output we are comparing dense and strict CoPP
profiles.

N9K#
show copp diff profile dense profile strict
Prior Profile Doesn’t Exist.
‘+’ Line presents only in profile dense
(ver: 10.2(1)I9(1))
‘-‘ Line presents only in profile strict
(ver: 10.2(1)I9(1))
    -policy-map type control-plane copp-system-p-policy-strict
    –  class copp-system-p-class-l3uc-data
    –    set cos 1
    –    police cir 800 kbps bc 32000 bytes conform transmit violate drop
    –  class copp-system-p-class-critical
    –    set cos 7
    –    police cir 36000 kbps bc 1280000 bytes conform transmit violate drop
    –  class copp-system-p-class-important
    –    set cos 6
    –    police cir 2500 kbps bc 1280000 bytes conform transmit violate drop
    –  class copp-system-p-class-openflow
    –    set cos 5
    –    police cir 1000 kbps bc 32000 bytes conform transmit violate drop
    –  class copp-system-p-class-multicast-router
    –    set cos 6
    –    police cir 2600 kbps bc 128000 bytes conform transmit violate drop
<output omitted>

Leave a Comment