Troubleshoot control plane policing (CoPP) (Telnet, SSH, HTTP(S), SNMP, EIGRP, OSPF, BGP)

📘CCNP Enterprise – ENARSI (300-410)

Control Plane Policing (CoPP) is a security and traffic management feature on Cisco routers and switches. It allows you to protect the control plane of a device by controlling how traffic is handled before it reaches the CPU.

The control plane is the part of a router or switch that makes routing decisions, maintains routing tables, and handles management protocols like Telnet, SSH, SNMP, HTTP(S), EIGRP, OSPF, BGP, etc.

Why CoPP is Important

Without CoPP, the CPU can be overwhelmed if too much traffic arrives for processing. Examples include:

  • DoS attacks targeting SSH or Telnet: CPU spikes, router becomes unresponsive.
  • Routing protocol floods (OSPF, EIGRP, BGP): Can delay convergence and affect the network.
  • SNMP or HTTP(S) monitoring overload: Management tools might slow down.

CoPP ensures critical control plane traffic is protected while limiting non-essential traffic.

How CoPP Works

  1. Traffic classification – CoPP identifies which traffic goes to the control plane.
    • Examples: Telnet, SSH, HTTP, HTTPS, SNMP, EIGRP, OSPF, BGP, ICMP.
  2. Policy creation – You define policies with ACLs or class maps to classify the traffic.
  3. Action assignment – Decide what happens to the traffic:
    • Police: Rate-limit traffic so CPU is not overwhelmed.
    • Drop: Ignore unwanted traffic.
    • Transmit: Allow essential traffic without limitation.
  4. Application to control plane – Policies are applied using control-plane access control lists (C-P ACLs) and service policies.

CoPP Configuration Steps

Let’s break it down step by step using IT traffic examples:

1. Create an ACL to identify traffic

You can match management or routing traffic.

Example: Limit Telnet, SSH, and SNMP traffic to the CPU:

ip access-list extended CONTROL-PLANE-ACL
 permit tcp any any eq 22        ! SSH
 permit tcp any any eq 23        ! Telnet
 permit udp any any eq 161       ! SNMP
 permit icmp any any              ! ICMP (Ping for troubleshooting)

2. Create a class map to classify traffic

Class maps group traffic for policies:

class-map match-any CONTROL-PLANE-CLASS
 match access-group name CONTROL-PLANE-ACL

3. Define a policy map

Policy maps define what to do with the traffic:

policy-map CONTROL-PLANE-POLICY
 class CONTROL-PLANE-CLASS
  police 1000000               ! Limit to 1 Mbps
  set precedence 5             ! Optional: mark priority

Here, Telnet, SSH, SNMP, and ICMP traffic will be rate-limited to 1 Mbps to protect the CPU.

4. Apply the policy to the control plane

Finally, apply the policy:

control-plane
 service-policy input CONTROL-PLANE-POLICY

This ensures all classified traffic is processed according to the policy before reaching the CPU.

Troubleshooting CoPP

When troubleshooting, you should focus on:

1. Verifying the policy

show policy-map control-plane
  • Check if traffic matches the right class.
  • Check if rate-limiting or policing is applied.

2. Verifying counters

show policy-map control-plane | include drop
  • See if any traffic is being dropped.
  • High drops might indicate too strict policing.

3. Check CPU utilization

show processes cpu
  • If CPU is high despite CoPP, policies may need adjustment.
  • Ensure critical traffic isn’t being limited.

4. Verify protocol reachability

  • Telnet/SSH access to the device.
  • Ping and traceroute for ICMP.
  • Check routing protocol adjacency (EIGRP, OSPF, BGP).

Important Exam Tips

  • CoPP is applied only to traffic destined to the router/switch CPU.
  • Policing vs Shaping: CoPP uses policing, not shaping. Excess traffic is dropped, not queued.
  • Traffic types often tested:
    • Management: Telnet, SSH, HTTP, HTTPS, SNMP
    • Routing protocols: OSPF, EIGRP, BGP
    • ICMP (troubleshooting)
  • Default CoPP: Cisco devices have a default CoPP policy for basic protection. Exam may ask how to verify or modify it.

Summary Table

StepCommand / ConceptPurpose
1ACL / class mapIdentify traffic (Telnet, SSH, SNMP, routing protocols)
2Class mapGroup traffic for policy
3Policy mapDefine policing actions (rate-limit, drop, prioritize)
4Apply to CPProtect CPU from overload
5TroubleshootVerify policy, counters, CPU utilization, protocol reachability

Key Takeaways for Exam:

  • CoPP protects the control plane by policing traffic to the CPU.
  • Always classify traffic before policing.
  • Common traffic: Telnet, SSH, HTTP(S), SNMP, ICMP, EIGRP, OSPF, BGP.
  • Verify with show policy-map control-plane and show processes cpu.
  • Critical traffic must not be dropped; non-essential traffic can be rate-limited.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by