Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL filtering performed on the PFC (testing CoPP)


My question is to do with the ACL filtering that is performed on the PFC, since i'm testing the use of CoPP.

As an example:

- My machine ( is connected to a switchport on a 6509, running a SUP720, PFC3B

- My machine is configured on VLAN50, where the subnet is homed on this 6509.

- An appropriate ACL (in and out) is applied to the SVI for VLAN50.

- There is also an ACL applied to the VTY lines on the router, allowing only SSH connections from certain hosts. Note, for this test case my machine is not permited to SSH to the router.


- If i try to SSH to my default gateway (, i cannot, so this verifies that the ACLs attached to the VTY lines are working as expected.

However, if i generate a huge amount of UDP traffic (in the order of 5Mbps) from my machine to my gateway, port 22, i notice that the CPU load increases from 5% to about 20-30 within a matter of seconds.

(Note, I'm running this test just as a test case to see how useful Control Plane Policing will be to us)

Noticing this, my question is:

- When a packet enters the PFC to be L3 switches, shouldn't the ACLs (which govern what devices are permitted access to the router on port 22) have firstly stopped my flood of data to port 22, whether it be UDP or TCP? Thus preventing the CPU from reaching 30%.

- I would have expected that the VTY ACLs would have stopped my flood in hardware - am i missing something?




Re: ACL filtering performed on the PFC (testing CoPP)

telnet is a TCP on port 23. 22/TCP,UDP is use for ssh Secure Shell and 23/TCP,UDP is use for telnet.