Skip to content
Study CCNP

5.2.b CoPP

3 min read ENCOR 350-401 v1.2

Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.

On this page

CoPP stands for Control Plane Policing. It protects the route processor from traffic that must be processed by the device CPU. Without CoPP, a flood of punted traffic can make a router or switch unstable even when the forwarding hardware is fine.

What reaches the control plane?

Examples include:

  • Routing protocol packets.
  • STP/BPDU and other control protocols on switches.
  • ARP and ICMP destined to the device.
  • SSH, SNMP, NETCONF, RESTCONF, and other management traffic.
  • TTL-expired packets and some exception traffic.

CoPP does not replace interface ACLs. It is a last line of defense for the device itself.

The simple model

yes
data plane forwards
no / destined to device / exception
punt to CPU

Basic CoPP example

Platform syntax and defaults vary. This sample shows the pattern.

Do not paste a generic CoPP policy into an unknown production platform. Start by observing the platform's default control-plane policy and counters. Then add or tune classes deliberately. CoPP is one of the few "security" features that can break routing, management, monitoring, and troubleshooting all at once when applied carelessly.

ip access-list extended COPP-MGMT
 permit tcp 10.10.10.0 0.0.0.255 any eq 22
 permit udp 10.10.10.0 0.0.0.255 any eq 161
 permit tcp 10.10.10.0 0.0.0.255 any eq 830

ip access-list extended COPP-ROUTING
 permit ospf any any
 permit eigrp any any
 permit tcp any any eq bgp
 permit tcp any eq bgp any

class-map match-any COPP-MGMT
 match access-group name COPP-MGMT

class-map match-any COPP-ROUTING
 match access-group name COPP-ROUTING

policy-map COPP-POLICY
 class COPP-ROUTING
  police 128000 conform-action transmit exceed-action drop
 class COPP-MGMT
  police 64000 conform-action transmit exceed-action drop
 class class-default
  police 16000 conform-action transmit exceed-action drop

control-plane
 service-policy input COPP-POLICY

Reading the config correctly

The ACL under a class map is for classification. It does not mean the traffic is globally permitted. The policy action decides what happens after the class is matched.

Also notice the destination direction in CoPP ACLs. These packets are being classified because they are destined to the device or punted to the control plane. A CoPP ACL that looks like a normal transit ACL can silently miss the traffic you meant to police.

Verification

show policy-map control-plane
show running-config | section control-plane
show class-map
show policy-map COPP-POLICY

Read the class counters before changing rates. If a failing protocol is hitting class-default, the fix is probably classification. If it is hitting the intended class and dropping, the fix may be policing rate, burst, or legitimate traffic volume. Those are different failures.

On many IOS XE platforms, more detailed platform counters are available, but the exact command differs by hardware family.

Troubleshooting approach

If CoPP breaks something, do not remove the whole policy first. Think in classes:

  1. Which protocol is failing?
  2. Is the traffic destined to the device or passing through it?
  3. Which class should match it?
  4. Are counters increasing in the expected class?
  5. Is the rate too low?
  6. Is the traffic falling into class-default?

Lab

Goal: Build a safe starter CoPP policy and observe counters.

Tasks:

  1. Identify the management subnet.
  2. Build a management class for SSH and SNMP from the management subnet.
  3. Build a routing class for your lab routing protocol.
  4. Build a low-rate default class.
  5. Apply the policy to the control plane.
  6. Generate SSH, ping, and routing protocol traffic.
  7. Verify counters.
  8. Increase test traffic and observe drops in a lab only.

Success criteria:

  • Routing stays stable.
  • SSH from the management subnet works.
  • Unexpected traffic hits a lower-priority/default class.
  • show policy-map control-plane shows useful counters.

Exam traps

  • CoPP protects the control plane, not all traffic passing through the box.
  • A CoPP ACL used for classification is not the same as an interface security ACL.
  • Overly aggressive CoPP can break routing, management, or troubleshooting.
  • Most enterprise devices ship with some form of default control-plane protection. Know how to verify it before replacing it.