Control Plane Policing (CoPP)
Control Plane Policing (CoPP) is a security mechanism in Cisco networking devices that protects the control plane from being overwhelmed by excessive traffic. The control plane handles critical routing protocols like BGP, OSPF, and management traffic like SSH and SNMP, which are essential for netwo… Control Plane Policing (CoPP) is a security mechanism in Cisco networking devices that protects the control plane from being overwhelmed by excessive traffic. The control plane handles critical routing protocols like BGP, OSPF, and management traffic like SSH and SNMP, which are essential for network device operation. CoPP works by rate-limiting and filtering traffic destined to the router's CPU, preventing denial-of-service (DoS) attacks and resource exhaustion. Without CoPP, malicious actors could flood the control plane with traffic, causing the device to become unresponsive and disrupting network operations. Implementation involves creating access control lists (ACLs) to classify traffic types, then applying quality of service (QoS) policies using class-based weighted fair queuing (CBWFQ). These policies define rate limits for different traffic classes. For example, you might allow unrestricted OSPF traffic while rate-limiting ICMP or limiting new BGP connections. CoPP configuration typically follows a hierarchical approach: first, identify critical control plane traffic that must be protected; second, classify traffic using ACLs and class-maps; third, apply police actions within policy-maps; and finally, apply the policy-map to the control plane using the control-plane command. Best practices include protecting essential routing protocols at high rates while strictly limiting or dropping suspicious traffic. Management access via SSH should be rate-limited and restricted to known IP addresses. Logging should be enabled to detect potential attacks. CoPP is fundamental in CCNP Enterprise Security as it prevents attackers from disrupting network infrastructure through control plane attacks. Modern implementations may include more granular policies separating traffic by severity levels. Understanding CoPP is crucial for designing resilient, secure enterprise networks that maintain operational continuity even under attack conditions.
Control Plane Policing (CoPP) - Complete Guide for CCNP ENCOR
Control Plane Policing (CoPP) - Complete Guide for CCNP ENCOR
Why Control Plane Policing is Important
Control Plane Policing (CoPP) is critical in modern networks because the control plane is the brain of your network devices. Without CoPP protection, malicious actors or even legitimate traffic floods can overwhelm the control plane, rendering your network infrastructure unresponsive. This can lead to:
- Network outages - When routers and switches cannot process routing updates or management traffic
- Security breaches - Attackers can exploit the control plane to gain unauthorized access
- Loss of connectivity - BGP sessions drop, OSPF adjacencies fail, and the network becomes fragmented
- Operational chaos - Network administrators lose the ability to manage and monitor devices
In the CCNP ENCOR exam, CoPP demonstrates your understanding of network security fundamentals and your ability to protect critical infrastructure.
What is Control Plane Policing (CoPP)?
Control Plane Policing (CoPP) is a QoS mechanism that protects the control plane of network devices (routers and switches) by rate-limiting traffic destined to the device itself. It acts as a gatekeeper, allowing only legitimate traffic to reach the control plane while dropping or deferring suspicious or excessive traffic.
Key Distinction: CoPP differs from regular QoS because:
- Regular QoS - Manages traffic flowing through the device (data plane)
- CoPP - Manages traffic destined to the device (control plane)
The control plane processes include:
- Routing protocol traffic (BGP, OSPF, EIGRP)
- SSH/Telnet management access
- SNMP monitoring
- DNS queries
- NTP synchronization
- ICMP (ping, traceroute)
- ARP requests
How Control Plane Policing Works
The Three-Step Process
Step 1: Classification
CoPP uses access control lists (ACLs) to identify traffic destined to the control plane. Traffic is classified into different categories based on:
- Protocol type (BGP, OSPF, SSH, etc.)
- Source IP address
- Destination IP address
- Port numbers
- DSCP/IP precedence values
Step 2: Rate Limiting
Once classified, traffic is subjected to policing rules that enforce rates using token bucket algorithms. Each class can have:
- Committed Information Rate (CIR) - The guaranteed rate for normal traffic
- Burst size - The maximum number of bytes allowed in a single burst
- Action - What to do when rate is exceeded (drop, set priority)
Step 3: Action Enforcement
Exceeding traffic can be:
- Dropped - Packet is discarded
- Marked - DSCP value is changed and forwarded
- Transmitted - Allowed through despite exceeding rate
Configuration Architecture
CoPP is typically configured in three components:
1. Access Control List (ACL)
Define which traffic to police:
access-list 101 permit tcp any any eq 22
access-list 101 permit icmp any any
2. Class Map
Group traffic classifications:
match access-group 101
3. Policy Map
Apply policing actions:
class CRITICAL-PROTOCOLS
police 128000 1500 conform-action transmit exceed-action drop
4. Service Policy
Apply the policy to the control plane:
service-policy input COPP-POLICY
Token Bucket Algorithm
CoPP uses a token bucket to implement rate limiting:
- Tokens accumulate at the CIR rate (e.g., 128 kbps)
- Each packet requires tokens equal to its size
- If sufficient tokens exist, packet is transmitted (conform)
- If insufficient tokens, packet is marked as exceed
- Burst size determines maximum tokens that can accumulate
Best Practices for CoPP Configuration
- Protect critical protocols first - BGP, OSPF should have highest priority
- Allow legitimate management traffic - SSH, SNMP, NTP need adequate rates
- Permit ICMP selectively - Useful for troubleshooting but can be abused
- Monitor regularly - Use show policy-map control-plane to verify effectiveness
- Test before deployment - CoPP can block legitimate traffic if misconfigured
- Use hierarchical policies - Different rates for different traffic types
- Consider traffic growth - Set rates above normal but below maximum capacity
Common CoPP Configuration Example
access-list 101 permit tcp any any eq 179
access-list 101 permit tcp any any eq 22
access-list 102 permit icmp any any
access-list 103 permit udp any any eq 53
Create class maps:
class-map ROUTING
match access-group 101
class-map MANAGEMENT
match access-group 102
Create policy map:
policy-map COPP
class ROUTING
police 256000 2000 conform-action transmit exceed-action drop
class MANAGEMENT
police 128000 1500 conform-action transmit exceed-action drop
class class-default
police 64000 1000 conform-action transmit exceed-action drop
Apply to control plane:
control-plane
service-policy input COPP
Monitoring CoPP
Key Commands:
show policy-map control-plane input
show control-plane status
show access-lists
These commands show:
- Packets matched and dropped per class
- Byte counts
- Drop statistics revealing attacks or misconfigurations
Exam Tips: Answering Questions on Control Plane Policing (CoPP)
Question Type 1: Identifying the Purpose of CoPP
What to look for:
- Questions asking what CoPP protects - Answer: the control plane of the device
- Distinguish from data plane QoS - CoPP is specifically for traffic destined to the device
- Recognize attack scenarios - DDoS, flooding, reconnaissance
Exam tip: If the question mentions protecting the router/switch itself from being overwhelmed, it's definitely CoPP.
Question Type 2: Configuration and Syntax
What to look for:
- Correct order: ACL → Class Map → Policy Map → Service Policy
- Service policy location: Must be applied under control-plane, not globally
- Direction: Always use input direction for control plane protection
- Police command syntax: police [rate] [burst] [conform-action] [exceed-action]
Common mistake to avoid: Applying CoPP under interface - it must be under control-plane.
Question Type 3: Rate and Burst Values
What to look for:
- Understanding the numbers: 128000 = 128 kbps (kilobits per second)
- Burst size: Typically 1500-2000 bytes for most protocols
- Proportional allocation: Critical protocols get higher rates than best-effort traffic
- Realistic rates: BGP might get 256 kbps, ICMP might get 64 kbps
Exam tip: Calculate rates based on protocol requirements. Routing protocols need guaranteed bandwidth, but ICMP (ping) can be rate-limited aggressively.
Question Type 4: Troubleshooting Scenarios
What to look for:
- Scenario: BGP sessions dropping - CoPP rate for BGP traffic too low; increase police rate
- Scenario: SSH access denied - Management traffic class may be missing or rate too low
- Scenario: Ping requests failing - ICMP rate-limited; either increase rate or verify policy
- Scenario: SNMP monitoring not working - UDP port 161 not included in ACL or policy
Exam tip: If traffic is being dropped, check show policy-map control-plane output for drop counters to confirm CoPP is the issue.
Question Type 5: Comparing Traffic Classes
What to look for:
- Class hierarchy: Critical > Important > Default
- Priority levels: Routing protocols > Management > Monitoring > Best-effort
- Default class: Catches everything else not explicitly defined; should have lowest rate
Exam tip: Remember that all traffic not matching specific classes falls into the class-default, which is why it should have the lowest rate limit.
Question Type 6: Actions and Outcomes
What to look for:
- conform-action transmit - Packet allowed through
- exceed-action drop - Packet discarded (typical)
- exceed-action set-dscp-transmit - Packet marked and forwarded (less common for CoPP)
Exam tip: Most CoPP scenarios use drop for exceeding traffic, not marking. Marking is more common in regular QoS policies.
Question Type 7: Implementation and Best Practices
What to look for:
- Whitelist approach: CoPP uses inclusive classification (define what to protect, rest get default treatment)
- Testing before production: Always test CoPP to avoid blocking legitimate traffic
- Documentation: Clear comments explaining why each class exists
- Monitoring baseline: Establish normal traffic patterns before enabling CoPP
Exam tip: If asked about deployment strategy, mention monitoring baseline traffic first, then implementing CoPP with conservative rates initially, then adjusting based on real data.
Key Facts to Memorize
- CoPP applies to traffic destined to the device, not through it
- Configuration location: control-plane context, not interface context
- Direction: Always input
- Three-component configuration: ACL → Class Map → Policy Map
- Applied via: service-policy input [policy-name]
- Monitoring command: show policy-map control-plane
- Primary benefit: Prevents control plane denial of service
- Rate units: Measured in bits per second
Common Exam Question Patterns
Pattern 1: "Which of the following is protected by CoPP?"
Answer: The control plane functions like routing, management, ARP
Pattern 2: "Where should the service-policy command be applied?"
Answer: Under the control-plane context
Pattern 3: "If BGP is dropping packets, what might be wrong?"
Answer: CoPP rate for BGP traffic is too low; the police command rate needs to be increased
Pattern 4: "Which action is most appropriate for exceeding traffic?"
Answer: Drop (exceed-action drop) to prevent DoS attacks
Pattern 5: "What is the first configuration step?"
Answer: Create an ACL to identify the traffic to be policed
Strategy for Success on CoPP Questions
1. Identify the purpose: Ask yourself: "Is this about protecting the device or traffic through it?" - If protecting the device, it's CoPP.
2. Follow the configuration path: Always think in order: ACL → Class Map → Policy Map → Service Policy in control-plane.
3. Check location and direction: Service policy must be in control-plane context with input direction.
4. Understand rate relationships: Critical traffic > Normal traffic > Default traffic in terms of allocated bandwidth.
5. Recognize attack mitigation: CoPP is your answer for protecting against control plane DoS attacks.
6. Review monitoring commands: Always know how to verify CoPP is working: show policy-map control-plane
Practice Question Example
Question: Your organization's BGP routers are experiencing intermittent session drops after a DDoS attack that flooded the network. Management wants to implement a solution that protects the routing process from being overwhelmed by traffic. Which technology should you implement?
A) QoS policy on all interfaces
B) Control Plane Policing on the routers
C) Rate limiting on BGP peer connections
D) Access lists on all interfaces
Answer: B) Control Plane Policing on the routers
Explanation: BGP is a control plane process. The BGP process itself is being overwhelmed. QoS on interfaces protects data plane traffic. Rate limiting on BGP connections is done at a different level. Only CoPP directly protects the control plane process from being overwhelmed.
Final Summary
Control Plane Policing (CoPP) is a essential security feature for network infrastructure protection. It shields critical routing and management processes from being overwhelmed by legitimate traffic floods or malicious attacks. For the CCNP ENCOR exam, you must understand:
- What it protects: The control plane
- How it works: Classification, policing, and action enforcement
- Configuration structure: ACL → Class Map → Policy Map → Service Policy
- Where it applies: Control plane context with input direction
- How to monitor: show policy-map control-plane
Master these concepts, and you'll be well-prepared to answer any CoPP question on the CCNP ENCOR exam.
🎓 Unlock Premium Access
CCNP Enterprise (ENCOR) + ALL Certifications
- 🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
- 2873 Superior-grade CCNP Enterprise (ENCOR) practice questions
- Unlimited practice tests across all certifications
- Detailed explanations for every question
- ENCOR 350-401: 5 full exams plus all other certification exams
- 100% Satisfaction Guaranteed: Full refund if unsatisfied
- Risk-Free: 7-day free trial with all premium features!