Sure, it is a QoS feature for traffic to the cpu, with a bonus of DOS protection.
You set it up with access-lists, class-maps and policy-maps, then bind it to the control plane with a service-policy.
The way I did it was to set it up without dropping any traffic that exceeds or violates the policy but transmit all so I wouldn't drop any traffic accidentally. You still get hits in the access-lists so that you can see where the traffic is originating from. The service policy is not needed to get hits in the access-lists, but it would give you a bonus of finding out how much traffic you have for routing, arp and so on. Make sure to add an entry for permit ip any any at the end of the access-list.
You can capture non ip traffic by matching the class-map to a protocol instead of an access-list.
Check the configuraqtion guide for your version of the IOS.
Then check the hits in the access-lists and the traffic rates with show access-list and show policy-map control-plane input.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...