CoPP — Control Plane Policing
Why routers need CoPP, how it rate-limits traffic destined to the CPU (routing protocols, SNMP, SSH, ARP), and the classify/police policy shape CCNP ENCOR tests.
- **Control-plane traffic** = anything the router itself processes (SSH, SNMP, OSPF, BGP, ARP, ICMP-to-me). If someone floods that plane, the router CPU spikes and legitimate protocols fail.
- CoPP is a **QoS policy applied to the control plane**. Classify traffic → police each class → drop or shape excess. Same policy-map syntax as data-plane QoS.
- Design shape: **CRITICAL** (routing protocols) never drops, **NORMAL** (SSH, SNMP) rate-limits, **UNDESIRABLE** (unknown proto, spoofed) drops hard. Everything else = catch-all.
The one-sentence mental model
CoPP is a firewall for the router’s own CPU. Data-plane traffic (transit) goes through the ASIC and doesn’t touch the CPU. Control-plane traffic (destined to the router or generated by it) does. A packet flood at the control plane will kill routing protocols, drop SSH sessions, and crash the box — even while transit forwarding still works.
What lives on the control plane
Every one of these hits the CPU:
- Routing protocol packets — OSPF hellos, BGP KEEPALIVEs, EIGRP hellos, IS-IS PDUs.
- First-hop redundancy — HSRP / VRRP / GLBP hellos.
- Management — SSH, Telnet (please no), SNMP, syslog reply, RADIUS.
- Discovery — CDP, LLDP.
- Address resolution — ARP requests + replies to the router’s IP.
- Punt — packets the ASIC couldn’t handle (unknown next-hop, IP option, TTL=1).
- Unicast to me — ICMP to my IP, TCP SYN to a listening port.
Any of these being flooded = CPU pegs = router unresponsive.
The classify → police pattern
CoPP uses the standard MQC (Modular QoS CLI) constructs but binds the policy to the control plane instead of an interface.
Step 1 — ACLs to identify traffic
ip access-list extended COPP-ROUTING
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
permit eigrp any any
ip access-list extended COPP-MGMT
permit tcp any any eq 22
permit udp any any eq snmp
permit udp any any eq syslog
ip access-list extended COPP-UNDESIRABLE
permit icmp any any redirect
permit ip any host 224.0.0.9 # RIP (if not run)
Step 2 — Class-maps
class-map match-any COPP-CRITICAL
match access-group name COPP-ROUTING
class-map match-any COPP-NORMAL
match access-group name COPP-MGMT
class-map match-any COPP-UNDESIRABLE
match access-group name COPP-UNDESIRABLE
Step 3 — Policy-map with police statements
policy-map COPP-POLICY
class COPP-CRITICAL
police cir 4000000 conform-action transmit exceed-action transmit
class COPP-NORMAL
police cir 1000000 conform-action transmit exceed-action drop
class COPP-UNDESIRABLE
police cir 32000 conform-action drop exceed-action drop
class class-default
police cir 500000 conform-action transmit exceed-action drop
Numbers are examples — sized to protect the CPU, not to shape a real service. Small cir values are typical.
Step 4 — Apply to the control plane
control-plane
service-policy input COPP-POLICY
Sizing the rates
Rule of thumb: budget each class based on legitimate steady-state × 3-5× to absorb transient bursts.
- Routing critical: even a busy BGP box rarely exceeds a few Mbps of control traffic.
police cir 10000000(10 Mb) is generous. - Management: SSH + SNMP polls. A few hundred Kbps.
- Undesirable: drop hard, no headroom.
- Class-default: catch everything else. Give it enough headroom that legitimate discovery works, but low enough that a flood can’t hurt.
Tune with show policy-map control-plane input — look at the “packets dropped” counter per class. If CRITICAL is dropping, you sized too low. If UNDESIRABLE is nonzero, you have suspicious traffic.
Verification
show policy-map control-plane input
show policy-map control-plane input class COPP-NORMAL
show platform hardware qfp active feature qos control-plane # ASR/9K
Look for conformed counters growing (normal traffic) and exceeded counters growing (attack traffic being policed).
Common exam / real-world mistakes
- Missing a class → default catches everything. If your default policer is too tight, legitimate ARP breaks. If too loose, an attacker can flood via the default class. Size it deliberately.
- Applying to an interface instead of the control plane. CoPP MUST be
service-policy input POLICYundercontrol-plane, not under a physical interface. - Forgetting broadcast / multicast to me. ARP requests are broadcast; router responds. Need a class covering ARP explicitly on some platforms, or “match protocol arp”.
- CoPP vs CPPr (Control Plane Protection). CPPr is the newer, subinterface version — separates host / transit / cef-exception into sub-planes. Some Cisco docs use CPPr and the same MQC constructs.
- Not testing. Configure conservative rates, deploy in monitor mode (all
transmitactions), watch counters for a week, then tighten. Skipping this locks you out during a flood.
Cheat strip
Job protect router CPU from control-plane floods
Applies to control-plane (not an interface)
Syntax MQC — class-map → policy-map → service-policy
Class idea CRITICAL routing protocols never drop
NORMAL mgmt (SSH, SNMP, syslog) rate-limit
UNDESIRABLE unknown/spoofed drop hard
class-default catch-all small allow, exceed drop
Size legit × 3–5. Start loose. Watch counters. Tighten.
Verify show policy-map control-plane input
Newer CPPr adds host / transit / cef-exception sub-planes
MACsec (IEEE 802.1AE) — Layer-2 Wire-Speed Encryption
How MACsec encrypts every Ethernet frame between two neighbors at line rate. AES-GCM, MKA key agreement, MACsec vs IPsec, and the CCNP ENCOR config on a Cat 9K.
EEM — Embedded Event Manager Applets and Scripts
How EEM lets a Cisco router react to on-box events automatically: syslog triggers, SNMP thresholds, timers, interface state — all handled with tiny applets or Tcl scripts. The CCNP ENCOR automation you can enable without any external tool.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.
Related topics
Access Control Lists (ACLs)
Definitive CCNA-level ACL guide — first-match-wins, implicit deny, wildcard masks, standard vs extended vs named, direction (in vs out), the established keyword, time-based ACLs, named-ACL editing, 9 worked scenarios, and the ACL debug workflow.
IP ConnectivityBGP Basics
Definitive CCNP-level BGP guide — autonomous systems, eBGP vs iBGP, path-vector routing, neighbor states, full best-path selection process, attributes deep dive (AS_PATH, LOCAL_PREF, MED, communities), route reflectors, RPKI, 8 worked scenarios, and the BGP debug workflow.
IP ConnectivityOSPF Single-Area
Definitive CCNA-level OSPF guide — link-state mental model, seven neighbor states, LSA types, DR/BDR election, cost tuning, authentication, route summarization, common debug patterns, and 8 worked scenarios.
Get the free CCNA 12-week roadmap
You're already reading up on CoPP — Control Plane Policing. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where CoPP — Control Plane Policing fits. A written personal reply, not an autoresponder. Expect it within one business day.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.