Cisco CoPP or Control Plane Policing is a Quality of Service (QoS) filter applied to traffic directed to or generated by the router’s Control Plane (CP) CPU. The CoPP policies restrict known traffic to a specific rate while protecting the CPU from unexpectedly high traffic rates that might jeopardize the router’s stability. As a result, the CP can still regulate packet forwarding and protocol states even facing traffic overload.
CoPP utilizes an input policy that allows the control plane traffic to be policed at a specified rate. In a well-planned CoPP policy, network traffic is classified based on the type of traffic, which can be management traffic, routing protocols, or known IP addresses. The CoPP policy is then applied to each class to limit traffic to the control plane CPU to a defined rate.
The QoS police command uses the following actions, which can be configured to drop or transmit traffic:
- conform
- exceed
- violate
The policy can be changed over time to fulfill day-to-day requirements by opting to transmit traffic exceeding the policed rate and observing CoPP.
Knowing what is involved in establishing a traffic class can be learned from the protocol documentation or through network protocol analysis. For this reason, the Cisco Embedded Packet Capture (EPC) function may be implemented since it enables you to capture network traffic and export it to a PCAP file to determine the required traffic classes.
Control Plane Policing (CoPP) Configuration
For the configuration example, the topology below will be used. There are two routers and one PC connected to a switch, and they are in a single network, 192.168.10.0 /24. EIGRP routing protocol is configured in the network as well.
Router1 has an IP address of 192.168.10.10, Router2 has an IP address of 192.168.10.11, and the PC has an IP address of 192.168.10.100. The basic configuration and routing are already configured on the devices. CoPP will be configured on Router1, and the PC will be used to verify CoPP.
To configure Control Plane Policing (CoPP), access lists for the class maps should be created first. We will create ACLs for EIGRP, Telnet, and Internet Group Management Protocol (ICMP) traffic.
Router1(config)#ip access-list extended ACL-EIGRP Router1(config-ext-nacl)#permit eigrp any any Router1(config)#ip access-list extended ACL-ICMP Router1(config-ext-nacl)#permit icmp any any Router1(config)#ip access-list extended ACL-TELNET Router1(config-ext-nacl)#permit tcp any any eq 23
Next, configure the class maps that match the ACLs for CoPP. It uses the ACLs to match the protocols.
Router1(config)#class-map CLASS-EIGRP Router1(config-cmap)#match access-group name ACL-EIGRP Router1(config)#class-map CLASS-ICMP Router1(config-cmap)#match access-group name ACL-ICMP Router1(config)#class-map CLASS-TELNET Router1(config-cmap)#match access-group name ACL-TELNET
Now, configure the service policy map for the classes. To ensure that CoPP does not cause problems, the violation action is specified as transmit for all crucial classes until a basis for regular traffic flows is determined. It prevents legitimate traffic from being denied. Due to low packet rates, the violation action is configured to drop for other traffic, such as DHCP and ICMP.
Router1(config)#policy-map CoPP Router1(config-pmap)#class CLASS-EIGRP Router1(config-pmap-c)#police 64000 conform-action transmit exceed-action transmit violate-action transmit Router(config-pmap-c)#exit Router1(config-pmap)#class CLASS-ICMP Router1(config-pmap-c)#police 8000 conform-action transmit exceed-action transmit violate-action drop Router1(config-pmap-c)#exit Router1(config-pmap)#class CLASS-TELNET Router1(config-pmap-c)#police 8000 conform-action transmit exceed-action transmit violate-action drop Router1(config-pmap-c)#exit
Then, to apply the CoPP policy map to the control plane, use the following commands:
Router1(config)#control-plane Router1(config-cp)#service-policy input CoPP
The policy map can be assigned to the ‘input’ or ‘output’ of an interface. The ‘type’ option can be used to log incoming control plane packets. In the example, input is used to police incoming traffic destined to the router.
Verifying Cisco CoPP Configuration
The ‘show policy-map control-plane input’ command can be used to verify the policy map applied to the control plane.
Router1#show policy-map control-plane input Control Plane Service-policy input: CoPP Class-map: CLASS-ICMP (match-all) 5 packets, 490 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name ACL-ICMP police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 5 packets, 490 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit violated 0 packets, 0 bytes; actions: drop conformed 0000 bps, exceeded 0000 bps, violated 0000 bps Class-map: CLASS-TELNET (match-all) 15 packets, 1026 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name ACL-TELNET police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 15 packets, 1026 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit violated 0 packets, 0 bytes; actions: drop conformed 0000 bps, exceeded 0000 bps, violated 0000 bps Class-map: CLASS-EIGRP (match-all) 25 packets, 2318 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name ACL-EIGRP police: cir 64000 bps, bc 2000 bytes, be 2000 bytes conformed 206 packets, 19360 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit violated 0 packets, 0 bytes; actions: transmit conformed 0000 bps, exceeded 0000 bps, violated 0000 bps Class-map: class-default (match-any) 53 packets, 13479 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: any
The class-default class contains all unknown traffic. There must be nothing inside the class-default under normal situations. However, permitting and monitoring a limited amount of traffic within this class detects new or unidentified traffic that would typically be denied.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
