CoPP (Control Plane Policing)

5.2 Configure and verify infrastructure security features

📘CCNP Encore (350-401-ENCORE-v1.1)

What is CoPP?

Control Plane Policing (CoPP) is a security feature used on routers and switches to protect the control plane of a device from excessive or malicious traffic.

The control plane is responsible for:

  • Routing protocols (OSPF, EIGRP, BGP)
  • Management traffic (SSH, SNMP, Telnet)
  • ICMP messages
  • Protocols needed for the device to work correctly

If too much traffic reaches the control plane, the device can become slow, unresponsive, or crash.

👉 CoPP protects the device itself, not user traffic.

Why CoPP is Important (Exam Focus)

Without CoPP:

  • The CPU can be overwhelmed
  • Routing adjacencies can drop
  • Management access can fail
  • Network instability can occur

With CoPP:

  • Only allowed and limited traffic reaches the control plane
  • Unwanted or excessive traffic is dropped or rate-limited
  • The device remains stable and responsive

📌 Key exam idea:
CoPP protects the router or switch CPU by controlling traffic sent to the control plane.

Planes in a Network Device

Understanding planes is very important for the exam.

PlanePurpose
Data PlaneForwards user traffic
Control PlaneRuns routing and control protocols
Management PlaneUsed for device administration

👉 CoPP works on the Control Plane

What Traffic Reaches the Control Plane?

Examples of control plane traffic:

  • Routing protocols (OSPF, BGP, EIGRP)
  • ICMP (ping, traceroute responses)
  • SSH, Telnet
  • SNMP
  • NTP
  • DHCP relay

These packets must be carefully controlled, not blocked completely.

What CoPP Does

CoPP:

  • Identifies traffic sent to the control plane
  • Classifies it using class-maps
  • Applies policies using policy-maps
  • Rate-limits or drops traffic if needed

📌 CoPP does NOT encrypt traffic and does NOT filter data-plane traffic.

How CoPP Works (High-Level Flow)

  1. Traffic is sent to the device
  2. Traffic destined for the control plane is identified
  3. CoPP policy checks the traffic
  4. Traffic is:
    • Allowed
    • Rate-limited
    • Dropped

CoPP Components (Must Know for Exam)

1. Class-Map

  • Identifies control plane traffic
  • Uses ACLs or protocol matching

Example:

  • Match OSPF traffic
  • Match SSH traffic
  • Match ICMP traffic

2. Policy-Map

  • Defines what to do with matched traffic
  • Uses:
    • police (rate-limit)
    • drop
    • transmit

3. Service-Policy

  • Applies the policy to the control plane

Control Plane Types

CoPP can be applied to different control plane categories:

TypeDescription
Control PlaneTraffic for routing and protocols
Management PlaneSSH, SNMP, NTP
Exception TrafficPackets punted to CPU due to errors

📌 Exam Tip:
Some platforms separate control and management traffic.

Basic CoPP Configuration (Conceptual)

You do NOT need to memorize full configs, but you must understand the logic.

Step 1: Create an ACL

access-list 101 permit ospf any any

Step 2: Create a Class-Map

class-map match-any OSPF-TRAFFIC
 match access-group 101

Step 3: Create a Policy-Map

policy-map COPP-POLICY
 class OSPF-TRAFFIC
  police 64000

Step 4: Apply to Control Plane

control-plane
 service-policy input COPP-POLICY

📌 Key Point:
The policy is applied to the control plane, not to an interface.

Policing in CoPP

What is Policing?

Policing:

  • Limits the rate of traffic
  • Drops traffic exceeding the limit
  • Protects CPU resources

Example:

  • Allow only a certain number of ICMP packets per second

CoPP vs Interface ACLs (Exam Comparison)

FeatureCoPPInterface ACL
Protects CPUYesNo
Applied toControl PlaneInterface
Affects user trafficNoYes
Prevents CPU overloadYesNo

📌 Exam Tip:
Use CoPP for device protection, not traffic filtering.

CoPP vs CPPr (Control Plane Protection)

FeatureCoPPCPPr
OlderYesNo
SimplerYesMore granular
Used in ENCOR examYesBasic awareness

📌 ENCOR focuses more on CoPP than CPPr.

Common CoPP Use Cases (IT Environment)

  • Protect routing protocols from floods
  • Prevent excessive ICMP from consuming CPU
  • Limit SSH login attempts
  • Protect SNMP polling
  • Ensure device stability during attacks

Verification Commands (Exam Important)

Verify Policy

show policy-map control-plane

Verify Class Statistics

show policy-map control-plane input

Check CPU Usage

show processes cpu

📌 Exam Tip:
Always look for policy-map attached to control-plane.

Best Practices (Exam Awareness)

  • Always allow required protocols
  • Use policing, not blanket drops
  • Monitor counters regularly
  • Do not over-restrict routing protocols
  • Test before deployment

Common Exam Mistakes

❌ Thinking CoPP filters user traffic
❌ Applying CoPP to interfaces
❌ Blocking routing protocols
❌ Confusing CoPP with firewall features

Key Exam Summary (Must Remember)

  • CoPP protects the control plane
  • Prevents CPU exhaustion
  • Uses class-maps, policy-maps, service-policy
  • Applied under control-plane
  • Rate-limits or drops traffic
  • Does NOT affect data plane traffic

One-Line Exam Definition

Control Plane Policing (CoPP) is a Cisco security feature that protects the control plane of a network device by controlling and limiting traffic sent to the CPU.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by