Exam 350-601 topic 1 question 251 discussion

A could be correct if the wording is "to the switch" rather than "to a switch", strict CoPP default settings for Nexus 9k is 3000pps with a committed burst of 32 A large image upload is more probable to generate that level of traffic. 15 SSH session would mean an average of 200pps per session, and they simply mention that the session remain connected, if there are no inputs in them they have 0pps and even a full config push would probably not require 200 packets total. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_010001.html class copp-system-p-class-management set cos 2 police cir 3000 pps bc 32 packets conform transmit violate drop

The Nexus switch’s control plane can typically handle a moderate number of SSH sessions (15 sessions would generally be considered moderate) without triggering CoPP so B is not correct answer I think) A is a bigger candidate to be correct Answer,

If we copy using SSH to Switch Default VRF interface IP address then it can be considered control plane traffic and

I pick C because a ping sweep can affect control plane if the ping is destinated to the switch SVI

It's said about default VRF which relates exactly to control plane. So the answer is A

Control plane is the only impact I see therefore A

strict CoPP policy is most likely to drop packets during a DDoS attack (option D) as it aims to prevent the switch from becoming overloaded by excessive traffic.

My Bet is a A if the transfer is going to the local switch copp may drop The most common behaviors or drops associated with this class include: -Transfer files with FTP, SCP, SFTP, TFTP protocols on the switch. The most common behavior seen is an attempt to transfer system/kickstart boot images by in-band management ports. This can lead to higher transfer times and closed/terminated transmission sessions determined by the aggregate bandwidth for the class. They also mention SSH traffic but I am not sure 15 sessions can generate that much traffic . https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/control-plane-policing/217946-verify-control-plane-policing-violations.html

Its A. Remember COPP is CONTROL Plane. There are 3: Data - Control - Mgmt. Data = User , traffic Transiting the switch - going through the switch Mgmt -- Device Management therefore, Control Plane - Image Copied to the Switch. That would be the only logical answer as this impacts the Control Plane, Not management and not User Data . A

i will go with b

What about C? a ping sweep to a subnet connected through the switch might cause a lot of arp traffic which are considered redirected packets, which are handled by the supervisor - from the book: ○ Redirected packets: Packets that are redirected to the supervisor module. Features such as Dynamic Host Configuration Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.

Tricky one, not sure which is right, but not D for sure. CoPP relates to a CPU DoS to the switch not to a web page behind the switch. A file transfer (even a nx-os image) does not affect the control plane (CPU), several ssh sessions to the switch with no Copp protection can affect the CPU, but 15 sessions looks to be a small amount.

Correct answer is large system image is copied to a switch by using the default VRF.

What is CoPP system profile? Control plane policing (CoPP) classifies and then rate-limits traffic being sent to the CPU of a switch. The rate limits are enforced by policing, which will drop traffic that exceeds the defined rate. ... System access via SSH or HTTP & SNMP management traffic are also handled by the system CPU

A ping sweep could also theoretically trigger CoPP drops in case of an SVI and e.g. several HSRP groups in a subnet, depending on the amount of packets sent by the sweeper as ICMP is assigned to the "copp-system-p-class-monitoring", which only allows 75 pps with a burst of 128.

I keep re-reading the question... answer is definitely A. "excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. For example, a DoS attack on the supervisor module could generate IP traffic streams to the control plane at a very high rate, forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic." 15 SSH sessions can hardly be considered "excessive"

D is correct. Page 834 DCCOR 350-601Official Cert Guide When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default copp-system-p-policy-strict policy to protect the supervisor module from DoS attacks