What Is Control Plane Protection in Networking?
Also known as: Control Plane Protection, CoPP, Cisco control plane protection, ENCOR security, control plane policing
On This Page
Quick Definition
Control Plane Protection is a way to protect a network device like a router from being overwhelmed by unwanted traffic. It works by setting rules that decide which kinds of messages the device's brain should process and which should be dropped. This keeps the device running smoothly even during attacks or heavy traffic.
Must Know for Exams
Control Plane Protection appears prominently in the Cisco CCNP Enterprise ENCOR (350-401) exam. The exam objectives explicitly list “Describe the need for and configuration of control plane policing and protection” under the security section. It is also relevant to the CCNP Security SCOR exam and the CCNA exam, though at a more basic level. In these exams, candidates are expected to understand the difference between control plane, data plane, and management plane, and how CoPP protects the control plane.
Exam questions often ask about the architecture: “Which plane is responsible for processing routing protocol updates?” or “What is the purpose of CoPP?” Candidates must also know the configuration steps: defining ACLs, class maps, policy maps, and applying to the control plane. Multiple-choice questions may test the difference between CoPP and CPP. For example, a question might state: “Which feature allows rate limiting of control plane traffic?” and the answer is Control Plane Protection (CoPP) not Control Plane Policing (CPP).
Scenario-based questions are also common. For instance, “A router is experiencing high CPU due to ICMP floods. What is the best solution?” The correct answer is to implement CoPP with a policy that rate-limits ICMP traffic. Candidates may also be asked to interpret a configuration snippet and identify whether it is correct or why it would fail. Understanding the token bucket model and the concept of conforming and exceeding traffic is helpful for advanced questions.
The ENCOR exam also tests the ability to verify CoPP using show commands like “show policy-map control-plane” and “show control-plane aggregate-”. Candidates should be comfortable reading the output and identifying which classes are dropping packets. Practice with these commands on a lab or simulator is highly recommended.
Simple Meaning
Imagine a router as a busy office building. The control plane is the executive suite where all the important decisions are made, like routing updates and management commands. Anyone can send a letter to this building, but only certain letters should reach the executives. Control Plane Protection is like having a security guard at the front desk who checks every piece of mail. If a letter looks like spam or a threat, the guard throws it away before it can bother the executives. This way, the executives can focus on their real work without being distracted or overwhelmed.
In technical terms, a router has three main parts: the data plane, which forwards packets quickly; the control plane, which learns routes and makes forwarding decisions; and the management plane, which handles administrative tasks like SSH or SNMP. Control Plane Protection focuses specifically on the control plane. Without CoPP, an attacker could flood the router with packets designed to be processed by the CPU, like routing protocol updates or ICMP messages. This flood could use up all the CPU resources, causing the router to crash, lose routing information, or fail to respond to legitimate traffic.
CoPP uses access control lists (ACLs) to classify traffic into different categories, such as routing protocol traffic, management traffic, and unwanted traffic. Each category is assigned a rate limit. Traffic that exceeds the rate limit is dropped. This is similar to a post office sorting facility where letters are sorted by priority. Urgent packages go straight to the sorting floor, while junk mail is discarded immediately. By controlling how much traffic reaches the control plane, CoPP ensures that critical protocols like OSPF, BGP, and EIGRP always have enough CPU time to operate correctly.
Full Technical Definition
Control Plane Protection (CoPP) is a Cisco IOS security feature that protects the control plane of a router or switch from denial-of-service (DoS) attacks and excessive traffic. The control plane is responsible for processing packets that are destined to the device itself, including routing protocol updates, management traffic (SSH, SNMP, Telnet), and network control messages (ICMP, ARP). CoPP uses a combination of access control lists (ACLs) and class maps to classify traffic into different classes, and then applies a policy map that specifies the action for each class: permit, drop, or rate-limit.
CoPP works by intercepting packets before they reach the central CPU. When a packet arrives, the router checks if it is destined to the device's own IP address or is a broadcast/multicast packet that the CPU must process. If so, the packet is examined by the CoPP policy. The policy divides traffic into categories such as Critical, Important, Normal, and Undesirable. Critical traffic includes routing protocols like OSPF, BGP, EIGRP, and LDP. Important traffic includes management protocols like SSH and SNMP. Normal traffic includes ICMP echo requests and traceroute. Undesirable traffic is explicitly unwanted, such as packets from known malicious sources.
Each class is assigned a committed information rate (CIR) and a burst size. The CIR defines the average rate of traffic that will be accepted. The burst size allows for short bursts above the CIR. Traffic that conforms to the rate limit is forwarded to the CPU. Traffic that exceeds the rate limit is dropped. This rate limiting is done using a token bucket algorithm, which ensures that the CPU never gets overwhelmed.
Implementation of CoPP is a multi-step process. First, the network engineer defines ACLs to match specific types of traffic. For example, an ACL might match all packets from a trusted BGP peer. Second, a class map groups these ACLs into logical classes. Third, a policy map associates each class with an action and a rate limit. Finally, the policy is applied to the control plane under the global configuration mode using the “control-plane” command followed by “service-policy input”.
It is important to note that CoPP is different from Control Plane Policing (CPP). CPP is the older, simpler version that only supports permit or drop actions, not rate limiting. CoPP is more flexible and granular. In modern Cisco IOS and IOS-XE, CoPP is the recommended approach. The configuration must be carefully tested because misconfigured CoPP can block critical routing protocol traffic, causing the router to lose connectivity. Best practices include starting with a logging-only policy to see what traffic would be dropped, then gradually enforcing the policy.
Real-Life Example
Think of a busy government building with a main entrance. Inside, there are many offices, including the mayor’s office (the control plane). Anyone can send a letter to the building, but the mayor’s office only has time to handle a limited number of messages per hour. If too many letters arrive, the mayor gets overwhelmed and cannot process important requests from other city departments.
To solve this, the building installs a mail sorting system with a security guard. The guard opens every envelope and checks who it is from and what it is about. Letters from trusted sources, like other government agencies, are marked as “Critical” and passed directly to the mayor’s office. Letters from known citizens about public matters are marked as “Normal” and are allowed through at a limited rate—maybe 10 per minute. Letters that look like spam, threats, or advertisements are thrown away immediately.
This sorting system is exactly like CoPP. The security guard is the ACL that inspects traffic. The different categories (Critical, Normal, Undesirable) are the traffic classes. The rate limit of 10 per minute is the CIR. If someone tries to send 100 letters in a minute, only 10 get through; the rest are dropped. This ensures the mayor’s office never gets flooded and can always respond to the most important messages first.
In a network, the router’s control plane is the mayor’s office. Critical traffic is routing protocol updates from neighbor routers. Normal traffic is ping requests from network administrators. Undesirable traffic is a distributed denial-of-service attack from the internet. CoPP ensures that the router’s CPU is always available to process routing updates, even when an attack is happening.
Why This Term Matters
Control Plane Protection matters because routers and switches are the backbone of any network. If a router’s CPU is overwhelmed by unnecessary traffic, the entire network can become unstable. For example, during a DDoS attack, attackers often send floods of packets that are destined to the router itself, such as ICMP echo requests, SYN packets, or fragmented packets. Without CoPP, the router spends all its CPU power processing these malicious packets, and it stops processing routing updates. This can cause OSPF or BGP neighbor adjacencies to drop, leading to routing loops, black holes, and network outages.
For enterprise networks, CoPP is critical for maintaining service level agreements. A financial trading firm cannot afford a router to drop BGP updates for even a few seconds, because that could mean losing millions of dollars. CoPP provides a proactive defense that prevents such scenarios. Even without an active attack, misconfigured devices or broadcast storms can generate enough control plane traffic to disrupt operations. CoPP acts as a safety net, ensuring that the CPU is never overloaded.
In security operations, CoPP is a fundamental tool for hardening network devices. It is part of the Cisco SAFE security reference architecture and is often required for compliance with standards like PCI-DSS or NIST. Engineers regularly audit CoPP policies to ensure they are up to date with new threats. CoPP also integrates with other security features like uRPF (unicast Reverse Path Forwarding) and ACLs to provide layered defense. Without CoPP, a network device is essentially an open target for anyone on the internet.
How It Appears in Exam Questions
Exam questions on Control Plane Protection come in several formats. One common type is a direct knowledge question: “Which statement best describes Control Plane Protection?” The answer options may include incorrect descriptions like “it protects the data plane” or “it filters traffic passing through the router.” The correct answer states that it protects the CPU from excessive traffic destined to the device.
Another pattern is the configuration question. For example: “A network engineer wants to allow OSPF updates from neighbor 192.168.1.1 at a rate of 100 packets per second and drop all other OSPF traffic. Which configuration accomplishes this?” Candidates must choose the correct combination of ACL, class map, and policy map. These questions test the understanding of syntax and the order of operations.
Troubleshooting questions are also very common. A scenario might describe a router that is experiencing high CPU usage and OSPF neighbors flapping. The question asks: “What should the engineer check first?” The answer is to examine the CoPP policy to see if OSPF traffic is being dropped. Candidates may need to interpret the output of “show policy-map control-plane” and find that the OSPF class is dropping packets due to an exceeded rate limit.
Architecture questions may ask: “Where does CoPP operate in the router architecture?” The answer is at the input of the control plane. They may also ask about the difference between CoPP and QoS: “How does CoPP differ from Quality of Service?” The correct answer is that CoPP is applied to traffic destined to the router, whereas QoS applies to traffic transiting the router.
Finally, there are scenario-based multiple-choice questions like: “An attacker is sending a flood of TCP SYN packets to the router’s management IP address. Which action will reduce CPU impact while allowing legitimate management traffic?” The correct answer involves implementing CoPP with a class that rate-limits TCP SYN traffic to a reasonable value.
Study encor
Test your understanding with exam-style practice questions.
Example Scenario
A company runs a small enterprise network with a Cisco router acting as the primary gateway. The router runs OSPF with two neighbor routers to exchange routing information. The network administrator uses SSH to manage the router. One day, the company’s web server is attacked by a DDoS, and the attacker also sends a flood of ICMP echo requests to the router’s IP address. The router’s CPU usage jumps to 100%, and within a minute, the OSPF neighbors time out and the network loses connectivity to the internet.
The administrator restores connectivity by rebooting the router, but the problem repeats. They decide to implement Control Plane Protection. They create an ACL to permit OSPF traffic from the two neighbor routers. They create another ACL to permit SSH traffic from the management station. They create a third ACL to match all ICMP traffic. Then they build a class map that places OSPF traffic into a “CRITICAL” class with a high rate limit, SSH traffic into a “MANAGEMENT” class with a moderate rate limit, and ICMP traffic into a “NORMAL” class with a very low rate limit. Finally, they create a policy map that allows all CRITICAL traffic, rate-limits MANAGEMENT traffic to 100 packets per second, and rate-limits NORMAL traffic to 10 packets per second with a drop action for excess.
After applying the policy to the control plane, the router no longer suffers from high CPU during the attack. The ICMP flood is dropped early, and the OSPF updates and SSH sessions continue to work normally. This scenario shows exactly how CoPP protects a live network.
Common Mistakes
Thinking CoPP protects the data plane traffic that passes through the router, not just traffic destined to the router.
CoPP only applies to packets that are processed by the control plane, meaning packets destined to the router itself. Data plane traffic that is simply forwarded through the router is not affected by CoPP. If an engineer tries to use CoPP to filter transit traffic, it will not work.
Remember CoPP is for “me” traffic, not “through” traffic. Use ACLs on interfaces for transit traffic filtering. CoPP only inspects packets that the router’s CPU must process.
Confusing Control Plane Protection (CoPP) with Control Plane Policing (CPP) and assuming they are identical.
CPP is an older feature that only supports permit or drop actions with no rate limiting. CoPP is newer and supports rate limiting with a token bucket. They are not interchangeable, and exam questions often test the difference.
CoPP is an enhancement of CPP. Think of “Protection” as including rate limiting, while “Policing” is a binary permit or drop. Always use CoPP when you need rate limiting.
Applying a CoPP policy without first testing it in logging mode, which can accidentally drop critical routing protocol traffic.
If a misconfigured ACL accidentally matches OSPF or BGP traffic and drops it, the router will lose routing neighbors and cause an outage. Many engineers skip the logging-only step to save time, which is risky.
Always configure the policy with the “service-policy input” command under the control plane with the “log” option or apply a policy that only logs drops initially. Monitor the logs for any unexpected drops before switching to enforce mode.
Setting the rate limit too low for routing protocols, causing legitimate packets to be dropped during normal fluctuations.
Routing protocols like OSPF and BGP can have bursts of traffic during convergence. If the CIR is set too low, some legitimate updates may be dropped, leading to neighbor flaps.
Monitor the normal traffic volume for each class over a period of days. Set the CIR at least 20-30% above the average observed rate. Allow a reasonable burst size to accommodate spikes.
Forgetting to include ARP traffic in the CoPP policy, leading to ARP flooding that still overwhelms the CPU.
ARP requests are processed by the control plane. If CoPP only focuses on IP traffic, excessive ARP traffic can still cause high CPU. Attackers often use ARP floods as a DoS vector.
Include a class for ARP traffic using the “match protocol arp” command in the class map. Rate-limit ARP to a reasonable value based on the network size.
Exam Trap — Don't Get Fooled
The exam presents a scenario where a router has high CPU due to traffic that is being forwarded through the router, and asks you to select CoPP as the solution. Remember that CoPP only affects packets that are destined to the router itself. If the high CPU is caused by forwarding millions of packets per second through the router, CoPP will not help because those packets never reach the control plane.
The real solution might be to upgrade hardware, use Cisco Express Forwarding, or add an ACL on the interface to block unwanted traffic. Always ask: is this traffic for me or through me?
Commonly Confused With
CoPP is the newer feature that supports rate limiting using a token bucket algorithm, while CPP only supports permit or drop actions without rate limiting. CPP is limited and older; CoPP is more flexible and recommended.
If you want to limit ICMP to 100 packets per second, you must use CoPP. With CPP, you could only allow all ICMP or drop all ICMP, not set a rate limit.
Data plane ACLs filter traffic that is passing through the router from one interface to another. CoPP filters traffic that is destined to the router itself. Data plane ACLs do not protect the CPU from floods aimed at the router.
An ACL on the inbound interface blocking SSH from the internet protects others from remote access, but does not stop a flood of SSH packets that exhausts the CPU. CoPP would rate-limit those SSH packets to protect the CPU.
MPP restricts which interfaces can accept management traffic like SSH or SNMP. It controls the management plane, not the control plane. CoPP controls traffic to the control plane, including routing protocols and management traffic. MPP is about interface restrictions, while CoPP is about rate limiting.
MPP says “SSH is only allowed on the loopback interface.” CoPP says “SSH is allowed at a rate of 50 packets per second.” They work together but are different concepts.
uRPF is an anti-spoofing feature that drops packets with source IP addresses that do not have a valid return path. CoPP is a rate-limiting feature for control plane traffic. uRPF protects against IP spoofing, while CoPP protects against CPU overload.
If a packet has a fake source IP, uRPF drops it. If a legitimate packet arrives too fast, CoPP rate-limits it. They solve different problems.
Step-by-Step Breakdown
Identify traffic categories
First, determine which types of traffic will reach the control plane. This includes routing protocols (OSPF, BGP, EIGRP), management protocols (SSH, SNMP, HTTPS), network services (DHCP, ARP, ICMP), and unwanted traffic (known attack sources). Categorize them into Critical, Important, Normal, and Undesirable groups based on business needs.
Create access control lists (ACLs)
Define ACLs that match each type of traffic. For example, an ACL that permits OSPF packets from specific neighbor IP addresses, or an ACL that matches all ICMP echo requests. Use standard or extended ACLs as needed. The ACLs will be referenced in the class maps later.
Build class maps
Create a class map for each traffic category using the “class-map” command. Inside the class map, use “match access-group” to reference the ACL. For example, “class-map match-all CRITICAL” and then “match access-group 100”. This tells the router which traffic belongs to which class.
Create a policy map
Use the “policy-map” command to define a policy that applies actions to each class. For critical classes, use “police” with a high CIR and burst, and action “conform-action transmit” and “exceed-action drop”. For undesirable classes, set “drop” as the only action. Configure each class sequentially.
Apply the policy to the control plane
Enter global configuration mode and use the “control-plane” command. Then issue “service-policy input POLICY-NAME” to attach the policy to the control plane. The policy will now inspect all incoming packets destined to the CPU.
Test and verify
Use “show policy-map control-plane” to see the statistics for each class. Check if any packets are being dropped. Monitor CPU usage with “show process cpu”. If critical traffic is being dropped, adjust the rate limits accordingly. Run the policy for a few days with logging to ensure no unintended drops occur.
Practical Mini-Lesson
Control Plane Protection is a fundamental skill for any network engineer managing Cisco devices. To implement CoPP correctly, start by understanding what traffic hits your router’s control plane. Use the “show control-plane host open ports” command to see which services are listening. Then, monitor the router’s CPU during normal operations to establish a baseline. For example, a typical branch router might have 5% CPU usage from routing protocols and 2% from SNMP. This gives you an idea of how much headroom you have.
When configuring CoPP, always use a hierarchical approach. Begin with a class for critical routing protocols. For OSPF, the protocol is IP protocol 89, so you can match it directly using an ACL or using “match protocol ospf” in a class map if your IOS version supports NBAR. For BGP, match TCP port 179. Place these in a “ROUTING” class with a high CIR, say 1000 packets per second, and a burst of 2000 packets. This ensures that even during a convergence event, BGP updates are not dropped.
Next, create a class for management traffic. Use separate classes for SSH (TCP 22), SNMP (UDP 161/162), and HTTPS (TCP 443). Rate-limit these to 50-100 packets per second each. This protects against DoS attacks on management services while allowing legitimate access. For SSH, you might also want to allow only specific source IP addresses in the ACL.
Then, create a class for network services like DHCP, ARP, and ICMP. These are essential but can be abused. ARP can be rate-limited to a few hundred packets per second, depending on the network size. ICMP echo requests can be limited to 10-20 per second, which is more than enough for ping from a few administrators. Finally, create a “DEFAULT” class that drops all traffic that does not match any other class. This prevents unknown packets from reaching the CPU.
Common pitfalls include forgetting to include the default class, which allows all untracked traffic to pass freely. Another mistake is setting the ACLs too loosely, for example using “permit ip any any” in a class that is supposed to be critical. Always be specific. After applying the policy, immediately test connectivity with a ping and SSH. If you lock yourself out, you may need console access to remove the policy.
CoPP integrates with Cisco’s control plane policing best practices. Some organizations combine CoPP with QoS to prioritize control plane traffic on congested links. In modern networks, CoPP is often automated using templates or orchestration tools like Ansible. Understanding CoPP is not just about passing an exam; it is a daily tool for securing routers and switches in production environments.
Memory Tip
Remember CoPP as “CPU Only, Protect the Plane”. The CPU only processes traffic destined to the router, and CoPP protects that plane by rate-limiting the volume.
Covered in These Exams
Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the difference between Control Plane Protection and Control Plane Policing?
Control Plane Protection (CoPP) is the newer feature that supports rate limiting using a token bucket algorithm. Control Plane Policing (CPP) only allows you to permit or drop traffic without rate limiting. CoPP provides more granular control.
Can CoPP be applied to a layer 2 switch?
Yes, CoPP can be applied to Cisco switches that run IOS or IOS-XE, especially those with a CPU that processes control traffic like STP, VTP, and DTP. It is commonly used on Catalyst switches.
What happens if I misconfigure CoPP and block OSPF traffic?
The router will lose OSPF adjacencies, and the network may experience routing loops or black holes. To avoid this, always test the policy in logging mode first, or have console access to revert the configuration.
Does CoPP affect traffic that is forwarded through the router?
No, CoPP only affects packets that are destined to the router’s own IP address or are process-switched. Packets that are fast-switched or forwarded in hardware are not touched by CoPP.
How do I verify that my CoPP policy is working?
Use the command “show policy-map control-plane” to see packet counts and drop counters for each class. You can also use “show control-plane aggregate-” to see aggregate statistics. Monitor CPU usage with “show process cpu”.
What is a recommended CIR value for OSPF traffic?
For most networks, a CIR of 500-1000 packets per second with a burst of 1500-2000 packets is sufficient. Monitor your network during normal operations and adjust based on the observed traffic volume.
Can I use CoPP on a router that is already using QoS?
Yes, CoPP and QoS coexist. QoS applies to traffic passing through the router, while CoPP applies to traffic destined to the router. They operate on different planes and do not conflict.
Summary
Control Plane Protection is a vital security feature for Cisco routers and switches that prevents the control plane from being overwhelmed by excessive or malicious traffic. It works by classifying traffic using ACLs and class maps, then applying rate limits or drop actions through a policy map attached to the control plane. This ensures that critical routing protocols like OSPF and BGP always receive the CPU time they need, even during a denial-of-service attack.
In the ENCOR exam, you will be tested on the difference between CoPP and other control plane features, configuration steps, and scenario-based problem solving. Remember that CoPP only protects traffic destined to the device, not traffic passing through it. Practical implementation requires careful planning, testing, and monitoring to avoid unintended outages.
Mastering CoPP is essential for both exam success and real-world network security.