A data center network uses Cisco Nexus 9000 switches running NX-OS. The operations team notices that the CPU utilization on the supervisor module spikes intermittently, causing BGP session flaps. Analysis shows that the CPU spikes coincide with traceroute probes from external networks, which generate ICMP TTL exceeded messages that are process-switched. The engineer must implement a solution to protect the control plane without affecting normal ICMP functionality. The goal is to rate-limit ICMP traffic to a maximum of 1000 packets per second with a burst of 200 bytes, while allowing other control plane traffic without restriction. Which configuration should be applied?
Correct syntax: using type control-plane class-map and policy-map, with police in pps and burst in bytes.
Why this answer
Option D is correct because it uses a Control Plane Policing (CoPP) policy with a class-map that matches ICMP protocol traffic in the control plane, then applies a police rate of 1000 pps with a 200-byte burst. This configuration rate-limits ICMP TTL-exceeded messages that are process-switched, protecting the supervisor CPU from spikes while allowing other control plane traffic unrestricted. The 'service-policy type control-plane' command applies the policy to the control plane, which is the proper method for NX-OS CoPP.
Exam trap
Cisco often tests the distinction between applying a policy-map with 'service-policy input' (which is for interface QoS) versus 'service-policy type control-plane' (which is for CoPP), and the correct police syntax including the 'byte' keyword for burst size.
How to eliminate wrong answers
Option A is wrong because 'hardware rate-limiter' is a legacy feature on some Cisco platforms that limits traffic in hardware, but it does not provide the granularity of matching ICMP protocol specifically and may affect all ICMP or other traffic; it is not the recommended CoPP approach for NX-OS. Option B is wrong because the police command syntax is incorrect: it uses 'police rate 1000 pps burst 200' without the 'byte' keyword, and the class-map uses 'match access-group name' which matches based on an ACL rather than the protocol directly, potentially missing ICMP TTL-exceeded messages that are not captured by the ACL; also, the policy-map is applied with 'service-policy input' instead of 'service-policy type control-plane', which is the correct NX-OS syntax for CoPP. Option C is wrong because applying a QoS policy on the management interface only affects traffic entering via that interface, not the control plane traffic from data interfaces; it would not protect the supervisor from ICMP TTL-exceeded messages arriving from external networks through data ports.