When a strict CoPP policy is implemented, which statement describes an event during which packets are dropped?
When a strict CoPP policy is implemented, which statement describes an event during which packets are dropped?
When a strict CoPP policy is implemented, it aims to protect the control plane, particularly the CPU of the switch, from excessive traffic that could overload it. A large system image being copied to a switch using the default VRF would generate significant traffic directed towards the control plane, especially since such transfers involve protocols that are managed by the control plane, and can exceed the set packet-per-second limits. This scenario makes it the most probable reason for dropping packets to protect the switch's performance.
A could be correct if the wording is "to the switch" rather than "to a switch", strict CoPP default settings for Nexus 9k is 3000pps with a committed burst of 32 A large image upload is more probable to generate that level of traffic. 15 SSH session would mean an average of 200pps per session, and they simply mention that the session remain connected, if there are no inputs in them they have 0pps and even a full config push would probably not require 200 packets total. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_010001.html class copp-system-p-class-management set cos 2 police cir 3000 pps bc 32 packets conform transmit violate drop
This might be B. CoPP handles traffic TO the device, not THROUGH it. B is the only one that meets that criteria.
I keep re-reading the question... answer is definitely A. "excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. For example, a DoS attack on the supervisor module could generate IP traffic streams to the control plane at a very high rate, forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic." 15 SSH sessions can hardly be considered "excessive"
Agree about this because strict CoPP protect protocol packet as a safe go and drop other packets passing through switch like webserver on DDoS attack Because questions is asking which are drops
My Bet is a A if the transfer is going to the local switch copp may drop The most common behaviors or drops associated with this class include: -Transfer files with FTP, SCP, SFTP, TFTP protocols on the switch. The most common behavior seen is an attempt to transfer system/kickstart boot images by in-band management ports. This can lead to higher transfer times and closed/terminated transmission sessions determined by the aggregate bandwidth for the class. They also mention SSH traffic but I am not sure 15 sessions can generate that much traffic . https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/control-plane-policing/217946-verify-control-plane-policing-violations.html
Correct answer is large system image is copied to a switch by using the default VRF.
What is CoPP system profile? Control plane policing (CoPP) classifies and then rate-limits traffic being sent to the CPU of a switch. The rate limits are enforced by policing, which will drop traffic that exceeds the defined rate. ... System access via SSH or HTTP & SNMP management traffic are also handled by the system CPU
D is correct. Page 834 DCCOR 350-601Official Cert Guide When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default copp-system-p-policy-strict policy to protect the supervisor module from DoS attacks
it is not correct. it says web server behind the switch. COPP protects the switch not the web server connected to it
It's said about default VRF which relates exactly to control plane. So the answer is A
Control plane is the only impact I see therefore A
strict CoPP policy is most likely to drop packets during a DDoS attack (option D) as it aims to prevent the switch from becoming overloaded by excessive traffic.
Its A. Remember COPP is CONTROL Plane. There are 3: Data - Control - Mgmt. Data = User , traffic Transiting the switch - going through the switch Mgmt -- Device Management therefore, Control Plane - Image Copied to the Switch. That would be the only logical answer as this impacts the Control Plane, Not management and not User Data . A
i will go with b
What about C? a ping sweep to a subnet connected through the switch might cause a lot of arp traffic which are considered redirected packets, which are handled by the supervisor - from the book: ○ Redirected packets: Packets that are redirected to the supervisor module. Features such as Dynamic Host Configuration Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.
The book is talking about ARP inspection, the feature, not regular ARP.
Tricky one, not sure which is right, but not D for sure. CoPP relates to a CPU DoS to the switch not to a web page behind the switch. A file transfer (even a nx-os image) does not affect the control plane (CPU), several ssh sessions to the switch with no Copp protection can affect the CPU, but 15 sessions looks to be a small amount.
I think the right one is A, if the image is sent to the switch ip address.
SSH session is also sent to the switch IP address. Both A and B are the Management Plane traffic which is redirected by Control Plane by inband interface.
A ping sweep could also theoretically trigger CoPP drops in case of an SVI and e.g. several HSRP groups in a subnet, depending on the amount of packets sent by the sweeper as ICMP is assigned to the "copp-system-p-class-monitoring", which only allows 75 pps with a burst of 128.