Control Plane Policing (CoPP) is a security mechanism used to protect the **CPU** of a network device by filtering or rate-limiting traffic that is destined **to** the control plane. This includes routing updates, management traffic, and protocols like BGP, OSPF, SSH, etc. ## Implementation Flow 1. Create an **ACL** to match traffic 2. Reference it in a **class-map** 3. Define behavior in a **policy-map** 4. Apply the policy to the **control-plane** ## Example: Drop ICMP to Control Plane ```plaintext ip access-list extended ICMP permit icmp any any class-map ICMP match access-group name ICMP policy-map COPP_POLICY class ICMP drop control-plane service-policy input COPP_POLICY ``` This will **drop all ICMP traffic** destined to the control plane, protecting the CPU. ## Example: Rate Limit ICMP ```plaintext ip access-list extended ICMP permit icmp any any class-map ICMP match access-group name ICMP policy-map COPP_POLICY class ICMP police 8000 conform-action transmit exceed-action drop control-plane service-policy input COPP_POLICY ``` - Limits ICMP to **8000 bps**. - Conforming packets are **forwarded**, excessive packets are **dropped**. ## Verification ```plaintext show policy-map interface control-plane ``` - View counters and hits on CoPP classes. - Helps confirm traffic is being policed or dropped. ## Notes - **Control plane policing** only affects **traffic to the device**, not through it. - Not all match types are supported under `class-map` for CoPP.