CiscoCCNPEnterprise NetworkingIntermediate19 min read

What Is Control Plane Policing in Networking?

Also known as: Control Plane Policing, CoPP Cisco, control plane policing enarsi, control plane policing encor, Cisco CoPP configuration

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Control Plane Policing, or CoPP, is a way to protect a network device like a router or switch. It limits how much traffic the device's brain, called the control plane, has to process. This stops attackers from flooding the device with too many requests and crashing it. Think of it as a bouncer at a club who only lets a certain number of people inside at once.

Must Know for Exams

Control Plane Policing appears in the CCNP Enterprise exams, particularly in the ENCOR (350-401) and ENSLD (300-420) exams, as well as in the CCNP Security track. In ENCOR, it is covered under the topic of network assurance and security, specifically in the section on securing network devices. Candidates must understand the concept of control plane, data plane, and management plane, and how CoPP protects the control plane.

Exam questions often present a scenario where a router is experiencing high CPU usage due to an ICMP flood or SSH brute force attack, and the correct answer involves configuring CoPP to rate-limit that traffic. The exam may ask about the three steps of CoPP configuration: creating an ACL, a class map, and a policy map. It may also test knowledge of the different modes such as receive, aggregate, and hardware, and which is appropriate for a given platform.

The exam may include a multiple-choice question about the command to apply a policy map to the control plane. CoPP is also relevant in the ENARSI (300-410) exam where advanced routing concepts and troubleshooting include scenarios where CoPP may be misconfigured, causing routing protocol adjacencies to fail. Candidates are expected to recognize symptoms of CoPP dropping routing hello packets.

In all cases, the exam emphasizes that CoPP should be configured carefully to avoid blocking critical traffic, and that a proper plan for classification is necessary. It is also common to see questions that differentiate CoPP from Control Plane Protection (CPPr), with CoPP being the more general tool. Knowing these distinctions and the exact commands is critical for exam success.

Simple Meaning

Imagine you are the only person working at a busy help desk in a large office building. Your job is to answer questions from employees, sign badges, and approve access requests. If everyone in the building comes to your desk at the same time, you will quickly become overwhelmed.

You cannot help anyone because there are simply too many people. Your work stops completely, and the whole building grinds to a halt. Control Plane Policing is like putting a security guard at the entrance of your help desk.

That guard only lets a manageable number of people come to your desk each minute. If a crowd tries to rush in all at once, the guard holds them back. Some people may have to wait or be turned away, but you, the help desk worker, can keep doing your job for the people who are allowed through.

In a computer network, the control plane is like that help desk worker. It is the part of a router or switch that handles important tasks like building routing tables, processing logins, and running routing protocols. When a device is under attack, an attacker may send millions of fake requests to the control plane.

Without protection, the control plane gets flooded and stops working, which can bring down the entire network. Control Plane Policing sets a limit on how many of these requests the control plane will handle. It drops extra packets past the limit, keeping the device stable and operational.

This feature is one of the most important tools for securing Cisco routers and switches against denial of service attacks.

Full Technical Definition

Control Plane Policing (CoPP) is a Cisco IOS security feature that protects the control plane of a router or switch by applying QoS (Quality of Service) policy maps to classify and rate-limit incoming traffic destined for the control plane. The control plane is the logical component responsible for routing protocol updates, management traffic such as SSH and SNMP, and network control functions. If the control plane is overwhelmed, the device may fail to route traffic or become inaccessible.

CoPP leverages modular QoS CLI (MQC) to define class maps that match specific traffic types, such as BGP packets, ICMP messages, or SSH sessions. A policy map is then applied to the control plane using the command "service-policy input <policy-name>" under the control-plane configuration section. CoPP operates in three modes: receive, aggregate, and hardware.

The receive mode applies policing to packets that are processed by the route processor individually, such as routing protocol hellos. Aggregate mode groups packets by type before policing, which is more efficient but less granular. Hardware mode is used on Cisco Catalyst switches that have ASIC-based policing, offloading processing from the CPU.

CoPP is configured with an ACL (Access Control List) to identify traffic classes, a class map to define the traffic classification, and a policy map to set the rate limit and action, typically "drop" or "transmit". A typical configuration example includes creating an ACL to match SSH traffic, building a class map to reference that ACL, and then creating a policy map that sets a police rate of, for example, 100 packets per second with a conform action of transmit and an exceed action of drop. The policy map is then applied to the control plane interface.

CoPP is essential for mitigating CPU-utilization based denial of service attacks and is a recommended best practice for enterprise edge routers. It can also be used to ensure that critical control plane traffic, such as OSPF hellos, is never dropped by dedicating bandwidth to it. CoPP works closely with the Cisco IOS Control Plane Protection (CPPr) for more granular control over subinterfaces of the control plane.

Real-Life Example

Think of a busy hospital emergency room. The emergency room has a single doctor on duty who must treat all incoming patients. Under normal conditions, the doctor can handle a few patients per hour and everyone gets good care.

But during a major accident, dozens of patients may arrive at the same time. If the doctor tries to treat everyone at once, they become exhausted, make mistakes, and cannot save anyone. The hospital solves this problem by putting a triage nurse at the entrance.

The nurse quickly evaluates each patient and decides how urgent their condition is. Patients who are not critical are told to wait. The nurse also limits the number of patients entering the ER at one time, allowing the doctor to treat the most critical cases first.

In this analogy, the doctor is the control plane of a network device. The triage nurse is the Control Plane Policing feature. The patients are packets of traffic arriving at the router.

When a denial of service attack occurs, thousands of malicious packets hit the device all at once, just like a flood of patients. Without CoPP, the router's CPU tries to process every single packet and becomes overwhelmed, causing it to drop legitimate traffic like routing updates or user connections. With CoPP, the device classifies each packet using access lists and class maps, just like the nurse checks each patient's symptoms.

The nurse decides which patients are critical, such as routing protocol packets, and gives them priority. Non-critical packets, like ICMP ping floods from an attacker, are dropped or rate-limited. This ensures the CPU stays focused on the most important tasks and the network remains stable.

Just as a hospital would not function without triage, a modern network cannot function without CoPP at the edge.

Why This Term Matters

Control Plane Policing matters because it is one of the most effective ways to protect the stability and security of production networks. In real IT work, routers and switches are the backbone of all network communication. If a core router fails because its control plane is flooded, entire offices, data centers, or even hospitals can lose connectivity.

This can lead to massive financial losses or safety risks. CoPP is used by network engineers to enforce quality of service on the control plane itself. Without it, any device exposed to the internet is vulnerable to a denial of service attack that could take it offline.

CoPP also helps in troubleshooting by providing clear counters that show how many packets were dropped due to rate limiting, which helps identify attack patterns. In enterprise environments, CoPP is frequently audited as part of security compliance frameworks like PCI-DSS or ISO 27001, because it is a standard security control. For network engineers, knowing how to configure CoPP is a fundamental skill, especially when deploying routers at branch offices, internet edge, or in data centers.

CoPP also directly ties into Cisco's broader security architecture, working alongside features like uRPF (unicast Reverse Path Forwarding) and ACLs. In a world where distributed denial of service attacks are common, CoPP provides a first line of defense that does not require additional hardware or licensing beyond the IOS feature set. It is a low-cost, high-impact security measure that every network professional should implement.

How It Appears in Exam Questions

Exam questions about Control Plane Policing appear in several formats. Scenario questions describe a network where a router is experiencing high CPU load. The candidate must identify that the control plane is under attack and recommend CoPP as the solution.

For example, a question may say: A core router is showing 95% CPU utilization. Logs show thousands of ICMP echo requests arriving per second. Which feature will protect the router while still permitting normal traffic?

The correct answer is Control Plane Policing. Configuration questions may ask the candidate to select the correct set of commands to apply a policy that limits SSH traffic to 200 packets per second. The candidate must know the sequence of ACL, class map, policy map, and the control-plane command.

Troubleshooting questions present a show running-config or show policy-map control-plane output and ask why a routing protocol like OSPF is failing to establish a neighbor. The answer may be that CoPP is dropping OSPF hello packets because the policy was too restrictive. Architecture questions may ask where on the network CoPP should be applied, for example on internet-facing routers or on distribution switches.

Another pattern is a comparison question asking how CoPP differs from data plane policing or management plane protection. Some questions test the understanding of the three CoPP modes. For instance, which mode is most suitable for a Cisco Catalyst 3850 switch?

The answer is hardware mode. The exam also tests the concept of CoPP as a QoS feature, so questions may ask about the MQC components used in CoPP. Finally, there are questions that test the command syntax itself, such as: Which interface should the policy map be applied to?

The answer is the control plane itself, not a physical interface. These question patterns require both conceptual understanding and memorization of configuration steps.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A company operates a regional office with a Cisco 4331 router connecting to the internet. One afternoon, the network administrator notices that remote employees cannot access the company VPN, and the router is not responding to SSH connections. Checking the router, the administrator sees the CPU utilization is at 99%.

A quick look at logs shows a massive spike in ICMP echo requests from a single external IP address. The company does not have a dedicated firewall team, and the only protection is the router itself. The administrator decides to implement Control Plane Policing.

They first create an access list that identifies the offending IP address range, then classify that traffic in a class map. A policy map is created that limits the ICMP traffic to 1000 packets per second, dropping any excess. The policy is applied to the control plane.

Within 30 minutes, the router's CPU drops to 30%. Legitimate traffic, including routing updates and SSH from other internal IPs, is unaffected. The administrator later adds a second policy to protect SSH traffic by limiting it to 50 packets per second from any single source.

This scenario shows how CoPP directly resolves a real-world network crisis without requiring a new hardware purchase.

Common Mistakes

Applying the CoPP policy to the wrong interface, such as GigabitEthernet0/0/0 instead of the control plane.

CoPP is designed to police packets destined to the control plane, not packets forwarded through the router. Applying it to a physical interface will affect all traffic, including data forwarding, which is handled by the data plane.

Always use the command 'control-plane' to enter the control plane configuration mode, then apply the service policy with 'service-policy input <policy-name>'.

Creating a CoPP policy that is too restrictive, dropping routing protocol packets like OSPF hellos or BGP keepalives.

If routing protocol keepalives are dropped, neighbor adjacencies break, causing network instability and even total loss of connectivity. This defeats the purpose of CoPP.

Always include class maps for critical routing protocols and set their police rate to 'conform transmit' with a relatively high rate, or use a 'priority' queue for them if supported.

Forgetting to apply the policy map to the control plane after creating it.

Without the 'service-policy input' command under the control-plane configuration, the policy map exists but does nothing. The router remains unprotected.

After creating the policy map, enter 'control-plane' and then 'service-policy input <policy-name>' to activate it.

Using the word 'police' in the policy map but not specifying a conform action, causing all matched packets to be dropped by default.

In Cisco MQC, if you use the 'police' command without a 'conform-action', the default action is to drop packets that exceed the rate, but conforming packets are still transmitted. However, a common error is to assume that all traffic is allowed unless explicitly dropped, which is backwards.

Always specify both 'conform-action transmit' and 'exceed-action drop' to ensure legitimate traffic is allowed.

Exam Trap — Don't Get Fooled

An exam scenario describes a router with high CPU due to an SSH brute force attack, and VLAN ACLs (VACLs) are presented as a solution. The candidate may choose VACLs because they think any ACL can solve the problem. Remember that attacks that target the CPU, like SSH brute force, ICMP floods, or routing protocol attacks, require a control plane filter, not a data plane filter.

If the question mentions high CPU, suspect CoPP. If the question mentions filtering traffic crossing an interface, use ACLs. Always ask: Is the traffic going through the device or to the device?

Commonly Confused With

Control Plane PolicingvsAccess Control List (ACL)

An ACL operates on the data plane and filters packets based on source/destination IP, port, or protocol as they traverse an interface. CoPP operates on the control plane and limits the rate of packets destined to the router's CPU. ACLs can block or permit traffic entirely, while CoPP rate-limits it.

An ACL can block all SSH traffic from a specific IP. CoPP can allow SSH from that IP but only at 10 packets per second, preventing a brute force attack while still allowing a legitimate connection.

Control Plane PolicingvsControl Plane Protection (CPPr)

CPPr is a more advanced feature than CoPP. It allows for subdividing the control plane into three subinterfaces: host, transit, and CEF-exception. CPPr can apply different policies to each subinterface, offering finer granularity. CoPP treats the entire control plane as one entity.

With CoPP, you set a single rate limit for all BGP packets. With CPPr, you can separately police BGP packets coming from the host subinterface versus those coming from the transit subinterface.

Control Plane PolicingvsManagement Plane Protection (MPP)

MPP limits which interfaces can carry management traffic like SSH, SNMP, and telnet. It restricts which source IPs can connect to the device for management. CoPP rate-limits all control plane traffic, including management traffic, but does not restrict which interface can carry it.

MPP can be configured so that SSH connections are only accepted on the management interface. CoPP would then rate-limit SSH traffic arriving on that interface, but cannot redirect it.

Step-by-Step Breakdown

1

Identify traffic types to protect

Determine which protocols must be allowed and which are likely to be attacked. For example, OSPF, BGP, and SSH are essential. ICMP and SNMP are common attack vectors. Create a list of traffic classes.

2

Create an Access Control List (ACL)

Use an extended ACL to match the specific traffic you want to police. For instance, ACL 100 can permit ICMP echo requests. The ACL is used by the class map to identify packets belonging to that traffic class.

3

Create a Class Map

Use the 'class-map' command to name a class and match it to the ACL. For example, 'class-map match-all ICMP-FLOOD' then 'match access-group 100'. This tells the router what traffic to treat as a group.

4

Create a Policy Map

Use the 'policy-map' command to create a policy, then associate the class map. Inside the class, use the 'police' command to set a rate limit, e.g., 'police 10000 pps' (10,000 packets per second), with conform-action transmit and exceed-action drop.

5

Apply the Policy to the Control Plane

Enter configuration mode with 'control-plane' and then apply the service policy with 'service-policy input <policy-name>'. The policy is now active and will rate-limit all incoming packets destined for the control plane.

6

Verify and Tune

Use 'show policy-map control-plane' to see packet counts and drops. If critical traffic is being dropped, adjust the rate limit or the classification. Monitor for a few days to ensure stability.

Practical Mini-Lesson

Control Plane Policing is a practical tool that every Cisco network engineer should master. It is not a complex feature, but it requires careful planning. Before configuring CoPP, analyze your network traffic.

Use NetFlow or SNMP data to understand normal control plane traffic volumes. For example, BGP speakers can generate thousands of updates per second, while a small office router may only see a handful. Configuring CoPP without baseline data can inadvertently drop critical routing updates.

The configuration process follows the Modular QoS CLI (MQC) paradigm. Start by defining the traffic classes using ACLs. A common mistake is to use an ACL that matches too broadly, such as 'permit ip any any', which would rate-limit all traffic.

Instead, create specific ACLs for each protocol. For instance, ACL 100 for ICMP, ACL 101 for SSH, ACL 102 for SNMP. Then create class maps that reference these ACLs. The class map should use 'match-all' to ensure all conditions are met.

In the policy map, use the 'police' command. The rate can be specified in bits per second (bps) or packets per second (pps). For control plane attacks, pps is more useful because packet size varies.

A typical value for ICMP might be 1000 pps, while SSH might be 50 pps per source. After applying the policy, immediately test that essential services still work. A good test is to check OSPF neighbors with 'show ip ospf neighbor' and verify BGP sessions are established.

If they are down, the CoPP policy is too strict. CoPP is also useful in combination with logging. Use the 'log' option in the policy map to log dropped packets, which helps identify attack sources.

In production, never deploy CoPP without a rollback plan. Always have a console or out-of-band management access in case the policy accidentally blocks your management session. The safest approach is to start with a permissive policy that only logs violations, then tighten the rates over time.

CoPP is a defense in depth measure, not a standalone solution. It works best when paired with firewalls, IPS, and proper ACLs on data plane interfaces. In certifications, remember that CoPP is a control plane feature, meaning it protects the router's CPU from being overwhelmed.

It does not protect against attacks that target the data plane, such as MAC flooding or ARP spoofing. Those require different mechanisms. By mastering CoPP, you demonstrate a solid understanding of network security architecture and the separation of control and data planes, which is a core concept for CCNP exams.

Memory Tip

CoPP: Control Plane Policeman. Think of a police officer at the CPU's door. The officer stops and checks each packet, only letting a few through every second, keeping the CPU safe from a crowd attack.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between CoPP and a regular ACL?

A regular ACL filters traffic on the data plane, as it passes through the router. CoPP filters traffic that is destined to the router's control plane, such as SSH or routing updates.

Can CoPP cause routing protocols to fail?

Yes, if the policy rate-limits routing protocol packets too aggressively. Always set high rate limits for BGP, OSPF, and EIGRP, or exclude them from the policy.

Does CoPP work on all Cisco routers?

CoPP is available on most Cisco IOS and IOS-XE routers. Some older platforms or specific license levels may not support it. Check the feature set before deployment.

How do I check if CoPP is dropping packets?

Use the command 'show policy-map control-plane' to view packet counts and drops per class. It shows both conformed and exceeded packets.

Is CoPP a security feature?

Yes, it is primarily a security feature used to mitigate denial of service attacks targeting the CPU, but it also ensures quality of service for control plane traffic.

Can I use CoPP on a switch?

Yes, Cisco Catalyst switches support CoPP in hardware mode, which offloads policing to ASICs, reducing CPU impact. This is important for high-speed environments.

Summary

Control Plane Policing is a vital Cisco security feature that protects routers and switches from being overwhelmed by traffic destined to the control plane. By rate-limiting packets like ICMP, SSH, or routing updates, it ensures the CPU can focus on essential tasks even during an attack. For certification exams, you must understand the three steps of configuration, the difference between data plane and control plane, and common pitfalls such as dropping routing protocol traffic.

In real networks, CoPP is a best practice for any device exposed to untrusted networks, especially internet-facing routers. It is a lightweight, effective defense against CPU-based denial of service attacks. Remember that CoPP is not a replacement for firewalls or ACLs, but a complementary tool in a layered security strategy.

For the CCNP ENCOR and ENARSI exams, expect scenario-based questions that test your ability to recognize when CoPP is needed and how to apply it. Master CoPP, and you will have a strong foundation in network security and QoS concepts.