Control Plane Policing (CoPP) - Complete Guide for CCNP ENCOR

Control Plane Policing (CoPP) - Complete Guide for CCNP ENCOR

Why Control Plane Policing is Important

Control Plane Policing (CoPP) is critical in modern networks because the control plane is the brain of your network devices. Without CoPP protection, malicious actors or even legitimate traffic floods can overwhelm the control plane, rendering your network infrastructure unresponsive. This can lead to:

• Network outages - When routers and switches cannot process routing updates or management traffic
• Security breaches - Attackers can exploit the control plane to gain unauthorized access
• Loss of connectivity - BGP sessions drop, OSPF adjacencies fail, and the network becomes fragmented
• Operational chaos - Network administrators lose the ability to manage and monitor devices

In the CCNP ENCOR exam, CoPP demonstrates your understanding of network security fundamentals and your ability to protect critical infrastructure.

What is Control Plane Policing (CoPP)?

Control Plane Policing (CoPP) is a QoS mechanism that protects the control plane of network devices (routers and switches) by rate-limiting traffic destined to the device itself. It acts as a gatekeeper, allowing only legitimate traffic to reach the control plane while dropping or deferring suspicious or excessive traffic.

Key Distinction: CoPP differs from regular QoS because:

• Regular QoS - Manages traffic flowing through the device (data plane)
• CoPP - Manages traffic destined to the device (control plane)

The control plane processes include:

• Routing protocol traffic (BGP, OSPF, EIGRP)
• SSH/Telnet management access
• SNMP monitoring
• DNS queries
• NTP synchronization
• ICMP (ping, traceroute)
• ARP requests

How Control Plane Policing Works

The Three-Step Process

Step 1: Classification
CoPP uses access control lists (ACLs) to identify traffic destined to the control plane. Traffic is classified into different categories based on:

• Protocol type (BGP, OSPF, SSH, etc.)
• Source IP address
• Destination IP address
• Port numbers
• DSCP/IP precedence values

Step 2: Rate Limiting
Once classified, traffic is subjected to policing rules that enforce rates using token bucket algorithms. Each class can have:

• Committed Information Rate (CIR) - The guaranteed rate for normal traffic
• Burst size - The maximum number of bytes allowed in a single burst
• Action - What to do when rate is exceeded (drop, set priority)

Step 3: Action Enforcement
Exceeding traffic can be:

• Dropped - Packet is discarded
• Marked - DSCP value is changed and forwarded
• Transmitted - Allowed through despite exceeding rate

Configuration Architecture

CoPP is typically configured in three components:

1. Access Control List (ACL)
Define which traffic to police:

2. Class Map
Group traffic classifications:

3. Policy Map
Apply policing actions:

4. Service Policy
Apply the policy to the control plane:

Token Bucket Algorithm

CoPP uses a token bucket to implement rate limiting:

• Tokens accumulate at the CIR rate (e.g., 128 kbps)
• Each packet requires tokens equal to its size
• If sufficient tokens exist, packet is transmitted (conform)
• If insufficient tokens, packet is marked as exceed
• Burst size determines maximum tokens that can accumulate

Best Practices for CoPP Configuration

• Protect critical protocols first - BGP, OSPF should have highest priority
• Allow legitimate management traffic - SSH, SNMP, NTP need adequate rates
• Permit ICMP selectively - Useful for troubleshooting but can be abused
• Monitor regularly - Use show policy-map control-plane to verify effectiveness
• Test before deployment - CoPP can block legitimate traffic if misconfigured
• Use hierarchical policies - Different rates for different traffic types
• Consider traffic growth - Set rates above normal but below maximum capacity

Common CoPP Configuration Example

Monitoring CoPP

Key Commands:

These commands show:

• Packets matched and dropped per class
• Byte counts
• Drop statistics revealing attacks or misconfigurations

Exam Tips: Answering Questions on Control Plane Policing (CoPP)

Question Type 1: Identifying the Purpose of CoPP

What to look for:

• Questions asking what CoPP protects - Answer: the control plane of the device
• Distinguish from data plane QoS - CoPP is specifically for traffic destined to the device
• Recognize attack scenarios - DDoS, flooding, reconnaissance

Exam tip: If the question mentions protecting the router/switch itself from being overwhelmed, it's definitely CoPP.

Question Type 2: Configuration and Syntax

What to look for:

• Correct order: ACL → Class Map → Policy Map → Service Policy
• Service policy location: Must be applied under control-plane, not globally
• Direction: Always use input direction for control plane protection
• Police command syntax: police [rate] [burst] [conform-action] [exceed-action]

Common mistake to avoid: Applying CoPP under interface - it must be under control-plane.

Question Type 3: Rate and Burst Values

What to look for:

• Understanding the numbers: 128000 = 128 kbps (kilobits per second)
• Burst size: Typically 1500-2000 bytes for most protocols
• Proportional allocation: Critical protocols get higher rates than best-effort traffic
• Realistic rates: BGP might get 256 kbps, ICMP might get 64 kbps

Exam tip: Calculate rates based on protocol requirements. Routing protocols need guaranteed bandwidth, but ICMP (ping) can be rate-limited aggressively.

Question Type 4: Troubleshooting Scenarios

What to look for:

• Scenario: BGP sessions dropping - CoPP rate for BGP traffic too low; increase police rate
• Scenario: SSH access denied - Management traffic class may be missing or rate too low
• Scenario: Ping requests failing - ICMP rate-limited; either increase rate or verify policy
• Scenario: SNMP monitoring not working - UDP port 161 not included in ACL or policy

Exam tip: If traffic is being dropped, check show policy-map control-plane output for drop counters to confirm CoPP is the issue.

Question Type 5: Comparing Traffic Classes

What to look for:

• Class hierarchy: Critical > Important > Default
• Priority levels: Routing protocols > Management > Monitoring > Best-effort
• Default class: Catches everything else not explicitly defined; should have lowest rate

Exam tip: Remember that all traffic not matching specific classes falls into the class-default, which is why it should have the lowest rate limit.

Question Type 6: Actions and Outcomes

What to look for:

• conform-action transmit - Packet allowed through
• exceed-action drop - Packet discarded (typical)
• exceed-action set-dscp-transmit - Packet marked and forwarded (less common for CoPP)

Exam tip: Most CoPP scenarios use drop for exceeding traffic, not marking. Marking is more common in regular QoS policies.

Question Type 7: Implementation and Best Practices

What to look for:

• Whitelist approach: CoPP uses inclusive classification (define what to protect, rest get default treatment)
• Testing before production: Always test CoPP to avoid blocking legitimate traffic
• Documentation: Clear comments explaining why each class exists
• Monitoring baseline: Establish normal traffic patterns before enabling CoPP

Exam tip: If asked about deployment strategy, mention monitoring baseline traffic first, then implementing CoPP with conservative rates initially, then adjusting based on real data.

Key Facts to Memorize

• CoPP applies to traffic destined to the device, not through it
• Configuration location: control-plane context, not interface context
• Direction: Always input
• Three-component configuration: ACL → Class Map → Policy Map
• Applied via: service-policy input [policy-name]
• Monitoring command: show policy-map control-plane
• Primary benefit: Prevents control plane denial of service
• Rate units: Measured in bits per second

Common Exam Question Patterns

Pattern 1: "Which of the following is protected by CoPP?"
Answer: The control plane functions like routing, management, ARP

Pattern 2: "Where should the service-policy command be applied?"
Answer: Under the control-plane context

Pattern 3: "If BGP is dropping packets, what might be wrong?"
Answer: CoPP rate for BGP traffic is too low; the police command rate needs to be increased

Pattern 4: "Which action is most appropriate for exceeding traffic?"
Answer: Drop (exceed-action drop) to prevent DoS attacks

Pattern 5: "What is the first configuration step?"
Answer: Create an ACL to identify the traffic to be policed

Strategy for Success on CoPP Questions

1. Identify the purpose: Ask yourself: "Is this about protecting the device or traffic through it?" - If protecting the device, it's CoPP.

2. Follow the configuration path: Always think in order: ACL → Class Map → Policy Map → Service Policy in control-plane.

3. Check location and direction: Service policy must be in control-plane context with input direction.

4. Understand rate relationships: Critical traffic > Normal traffic > Default traffic in terms of allocated bandwidth.

5. Recognize attack mitigation: CoPP is your answer for protecting against control plane DoS attacks.

6. Review monitoring commands: Always know how to verify CoPP is working: show policy-map control-plane

Practice Question Example

Question: Your organization's BGP routers are experiencing intermittent session drops after a DDoS attack that flooded the network. Management wants to implement a solution that protects the routing process from being overwhelmed by traffic. Which technology should you implement?

A) QoS policy on all interfaces
B) Control Plane Policing on the routers
C) Rate limiting on BGP peer connections
D) Access lists on all interfaces

Answer: B) Control Plane Policing on the routers

Explanation: BGP is a control plane process. The BGP process itself is being overwhelmed. QoS on interfaces protects data plane traffic. Rate limiting on BGP connections is done at a different level. Only CoPP directly protects the control plane process from being overwhelmed.

Final Summary

Control Plane Policing (CoPP) is a essential security feature for network infrastructure protection. It shields critical routing and management processes from being overwhelmed by legitimate traffic floods or malicious attacks. For the CCNP ENCOR exam, you must understand:

• What it protects: The control plane
• How it works: Classification, policing, and action enforcement
• Configuration structure: ACL → Class Map → Policy Map → Service Policy
• Where it applies: Control plane context with input direction
• How to monitor: show policy-map control-plane

Master these concepts, and you'll be well-prepared to answer any CoPP question on the CCNP ENCOR exam.