Skip to content
Adam Spera

Control Plane Policing (CoPP)

Control Plane Policing (CoPP) is a security mechanism used to protect the CPU of a network device by filtering or rate-limiting traffic that is destined to the control plane. This includes routing updates, management traffic, and protocols like BGP, OSPF, SSH, etc.

Implementation Flow

Section titled “Implementation Flow”
  1. Create an ACL to match traffic
  2. Reference it in a class-map
  3. Define behavior in a policy-map
  4. Apply the policy to the control-plane

Example: Drop ICMP to Control Plane

Section titled “Example: Drop ICMP to Control Plane”
ip access-list extended ICMP
 permit icmp any any


class-map match-all ICMP
 match access-group name ICMP


policy-map COPP_POLICY
 class ICMP
  drop


control-plane
 service-policy input COPP_POLICY

This will drop all ICMP traffic destined to the control plane, protecting the CPU.

Example: Rate Limit ICMP

Section titled “Example: Rate Limit ICMP”
policy-map COPP_POLICY
 class ICMP
  police 8000
   conform-action transmit
   exceed-action drop
  • Limits ICMP to 8000 bps.
  • Conforming packets are forwarded, excessive packets are dropped.

Verification

Section titled “Verification”
show policy-map control-plane
  • View counters and hits on CoPP classes.
  • Helps confirm traffic is being policed or dropped.

Notes

Section titled “Notes”
  • Control plane policing only affects traffic to the device, not through it.
  • Not all match types are supported under class-map for CoPP.