CCNA Control Plane Policing (CoPP) Questions

68 questions · Control Plane Policing (CoPP) · All types, answers revealed

1
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-BGP (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 120 police: cir 32000 bps, bc 6000 bytes, be 6000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop R1# show ip bgp summary BGP router identifier 1.1.1.1, local AS number 100 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 200 10 10 1 0 0 00:05:00 5 Based on this output, what is the most likely problem?

A.The BGP session is down.
B.The access-list 120 is not matching BGP traffic, so it is falling into class-default.
C.The police rate is too low and is dropping all BGP packets.
D.The policy-map is applied to the output direction.
AnswerB

The zero packet count indicates the class is not matching, but BGP is working, so traffic is matched by class-default.

Why this answer

The CoPP-BGP class shows zero packets, but the BGP session is established and exchanging messages. This indicates that BGP traffic is not being classified by the CoPP-BGP class, likely because the access-group 120 is not matching the BGP packets. The BGP session is up, so the traffic is being processed by the class-default instead.

2
MCQhard

A router has CoPP configured with a class-map that matches OSPF traffic and polices it to 2000 pps. The router is also configured with an OSPF distribute-list in to filter routes. After applying CoPP, OSPF neighbors form, but routes from a specific neighbor are missing. The distribute-list permits all routes. Which is the most likely explanation?

A.The distribute-list is applied incorrectly and blocks all routes.
B.CoPP drops OSPF LSU packets, preventing route installation, while hello packets still form the adjacency.
C.OSPF uses TCP, and CoPP only polices UDP.
D.The CoPP policy is applied to the wrong control plane subinterface.
AnswerB

LSUs carry the actual routes; if dropped, routes are missing even though the neighbor is up.

Why this answer

CoPP polices OSPF packets, but OSPF uses different packet types (hello, DBD, LSR, LSU, LSAck). If the police rate is exceeded, LSU packets may be dropped while hello packets pass. The distribute-list is not the issue; the missing routes are due to dropped LSUs.

3
MCQeasy

An engineer applies a CoPP policy to a router to protect the control plane from a DDoS attack. The policy includes a class-map matching UDP traffic to port 123 (NTP) and polices it to 1000 bps. After the policy is applied, the engineer notices that the router's clock is not synchronizing with its NTP server. The NTP server is reachable via ping. What is the most likely cause?

A.The CoPP policy is dropping NTP packets because the police rate is too low.
B.The NTP server is not responding because of the DDoS attack.
C.The CoPP class-map is not matching NTP packets because it uses the wrong port number.
D.The router's NTP configuration has a wrong server IP address.
AnswerA

NTP packets are small, but if the police rate is too low, they can be dropped, causing synchronization failure.

Why this answer

NTP uses UDP port 123. The CoPP policy is rate-limiting NTP traffic to 1000 bps, which may be too low for NTP packets, especially if there are multiple NTP packets or if the burst is high. This causes NTP packets to be dropped, preventing clock synchronization.

4
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router running OSPF. After applying the policy, OSPF neighbors intermittently drop and recover. The CoPP policy includes a class-map matching OSPF traffic with a police rate of 64000 bps. The router has multiple OSPF neighbors and the link utilization is normal. Which is the most likely explanation?

A.The CoPP policy uses the default class class-default, which drops OSPF packets.
B.The police rate is in bits per second, but OSPF hello packets are small; the packet-per-second rate is exceeded, causing drops.
C.OSPF uses UDP, and CoPP only filters TCP traffic.
D.The CoPP policy is applied to the wrong interface; it should be applied to the management interface.
AnswerB

OSPF hello packets are small, so bps rate limiting can be misleading; pps is more appropriate for protocol packets.

Why this answer

CoPP rate-limits control plane traffic in bits per second (bps) by default, but OSPF packets are small and frequent. The rate limit in bps may be insufficient for the packet rate, causing drops of OSPF hello packets. The engineer should use packets per second (pps) for protocol packets like OSPF to avoid this issue.

5
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# debug ip ospf adj OSPF adjacency debugging is on R1# *Mar 1 00:05:23.123: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0, area 0.0.0.0, packet type: 1 (Hello) *Mar 1 00:05:23.123: OSPF: 2 Way Communication to 10.1.1.2 on FastEthernet0/0, state 2WAY *Mar 1 00:05:23.124: OSPF: Send immediate hello to nbr 10.1.1.2, src address 10.1.1.1, on FastEthernet0/0 *Mar 1 00:05:23.124: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0, area 0.0.0.0, packet type: 2 (DBD) *Mar 1 00:05:23.125: OSPF: Rcv DBD from 10.1.1.2, seq 0x1234, opts 0x2, flag 0x7, mtu 1500 state EXSTART *Mar 1 00:05:23.126: OSPF: Nbr 10.1.1.2 has state FULL What does this output indicate?

A.OSPF adjacency is failing due to CoPP dropping Hello packets.
B.OSPF adjacency is established successfully, indicating CoPP is not blocking OSPF traffic.
C.OSPF is experiencing packet loss due to MTU mismatch.
D.OSPF is stuck in EXSTART state due to CoPP.
AnswerB

The adjacency reached FULL state, meaning OSPF packets are being processed correctly.

Why this answer

The debug output shows OSPF adjacency formation with neighbor 10.1.1.2. The sequence of packets (Hello, DBD) and the transition to FULL state indicate that the adjacency is established successfully. This can be used to verify that CoPP is not dropping OSPF packets.

6
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-BGP (match-all) 500 packets, 30000 bytes 5 minute offered rate 1000 bps, drop rate 500 bps Match: access-group 120 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 300 packets, 18000 bytes; actions: transmit exceeded 100 packets, 6000 bytes; actions: drop violated 100 packets, 6000 bytes; actions: drop Based on this output, which statement is correct?

A.All BGP packets are being transmitted without any drops.
B.BGP traffic is being rate-limited and some packets are being dropped.
C.The police rate is set to 16000 bps.
D.The class-default is matching BGP traffic.
AnswerB

The police counters show packets are being dropped due to exceeding the CIR.

Why this answer

The CoPP-BGP class is matching traffic and applying a police rate. The drop rate is 500 bps, and there are exceeded and violated packets being dropped. This indicates that BGP traffic is being rate-limited and some packets are being dropped, which could cause BGP session instability.

7
MCQhard

Which statement about CoPP and IPv6 control plane traffic is correct?

A.CoPP does not support IPv6 traffic
B.IPv6 traffic is automatically classified as critical
C.CoPP can police IPv6 traffic using the same policy-map as IPv4
D.IPv6 control plane traffic is not subject to CoPP
AnswerC

CoPP uses a single policy-map that can match both IPv4 and IPv6 traffic via ACLs or class-maps.

Why this answer

CoPP can classify and police IPv6 control plane traffic using the same policy-map framework, but IPv6-specific protocols like OSPFv3 or RIPng must be matched using appropriate ACLs or class-maps.

8
MCQmedium

Which control plane protocol packets are classified as 'critical' in the default CoPP policy?

A.ICMP echo requests and SSH
B.OSPF hello packets and BGP keepalives
C.Telnet and HTTP
D.NTP and SNMP
AnswerB

Routing protocol hello and keepalive packets are considered critical for network stability and are assigned to the critical class in CoPP.

Why this answer

Cisco's recommended CoPP policy classifies routing protocol packets (e.g., OSPF, EIGRP, BGP) and Layer 2 keepalives as critical, while ICMP and SSH are often classified as normal or management.

9
MCQeasy

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show ip route summary IP routing table name: Default-IP-Routing-Table (0x0) IP routing table maximum-paths: 32 Route entry limits: 1000000 active, 2000000 total Number of prefixes: 500 Prefixes with memory: 500 Number of paths: 600 Paths with memory: 600 Number of operations: 1200 Number of deleted entries: 0 What does this output indicate?

A.The routing table is empty due to CoPP dropping routing updates.
B.The routing table has 500 prefixes, indicating that routing protocols are functioning and CoPP is not blocking updates.
C.The routing table has too many prefixes, causing CoPP to drop packets.
D.The routing table is not being updated due to a CoPP policy.
AnswerB

A healthy routing table with no deleted entries suggests CoPP is not causing issues.

Why this answer

The command shows the IP routing table summary. It indicates that there are 500 prefixes and 600 paths in the routing table, with no deleted entries. This can be used to verify that CoPP is not affecting routing updates by checking if the routing table is stable.

10
MCQeasy

A router has a CoPP policy that includes a class-map matching all traffic from a specific source IP address (the management station) and polices it to 100000 bps. The engineer notices that SNMP polls from the management station are timing out. The SNMP traffic uses UDP port 161. The engineer checks the CoPP statistics and sees that the class for the management station has dropped packets. What is the most likely cause?

A.The CoPP police rate of 100000 bps is too low for the SNMP traffic from the management station.
B.The SNMP community string is incorrect on the management station.
C.The CoPP class-map is matching the wrong source IP address.
D.The SNMP agent on the router is not responding due to high CPU.
AnswerA

SNMP polls can be bursty, and 100000 bps may not be sufficient, leading to drops and timeouts.

Why this answer

The CoPP policy is rate-limiting traffic from the management station to 100000 bps. SNMP polls can generate bursts of traffic, especially if the router has many OIDs to query. If the police rate is too low for the SNMP traffic, packets are dropped, causing timeouts.

11
MCQhard

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show policy-map control-plane input class CoPP-Class Class-map: CoPP-Class (match-all) 1500 packets, 120000 bytes 5 minute offered rate 10000 bps, drop rate 5000 bps Match: access-group name CoPP-ACL police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 1000 packets, 80000 bytes; actions: transmit exceeded 500 packets, 40000 bytes; actions: drop conformed 8000 bps, exceed 2000 bps, violated 0 bps What does this output indicate?

A.The CoPP policy is dropping all traffic because the CIR is too low.
B.The CoPP policy is causing packet loss for traffic that exceeds the 8 kbps rate, which may impact legitimate control plane traffic.
C.The CoPP policy is not applied correctly because the drop rate is higher than the conform rate.
D.The CoPP policy is working as intended with no issues.
AnswerB

The drop rate of 5 kbps indicates that half the offered traffic is being dropped, which could affect protocols like OSPF or BGP.

Why this answer

The output shows that the CoPP policy is policing traffic matching the CoPP-ACL. The offered rate is 10 kbps, but the CIR is 8 kbps, resulting in 500 packets exceeding the rate and being dropped. This indicates that control plane traffic is being throttled.

12
MCQhard

A network engineer runs the following command on Router R1: R1# show access-lists 100 Extended IP access list 100 10 permit icmp any any echo 20 permit icmp any any echo-reply 30 permit icmp any any time-exceeded 40 permit icmp any any unreachable R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-ICMP (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 100 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what is the most likely problem?

A.The class-map uses 'match-all' instead of 'match-any'.
B.The access-list does not include all ICMP types that may be sent to the control plane.
C.The police rate is too low and is dropping all packets.
D.The policy-map is applied to the wrong direction.
AnswerB

The access-list only matches specific ICMP types, potentially missing others like router advertisement or parameter problem.

Why this answer

The access-list 100 matches ICMP types, but the class-map CoPP-ICMP uses 'match-all' which requires all match criteria to be met. Since only one access-group is referenced, 'match-all' is not incorrect, but the access-list may not be matching the actual ICMP traffic types sent to the control plane (e.g., ICMP type 8 for echo, but the router may receive other types). However, the key issue is that the class-map is not matching any packets, likely because the access-list is incomplete or the traffic is not matching the specified ICMP types.

13
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-ICMP (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 100 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: CoPP-SSH (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 110 police: cir 16000 bps, bc 3000 bytes, be 3000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: class-default (match-any) 1250 packets, 75000 bytes 5 minute offered rate 1000 bps, drop rate 0000 bps Match: any Based on this output, which statement is correct?

A.The CoPP policy is dropping all ICMP packets to the control plane.
B.The CoPP policy is not matching any packets for the CoPP-ICMP and CoPP-SSH classes.
C.The CoPP policy is rate-limiting SSH traffic to 16000 bps.
D.The CoPP policy is applied to the output direction.
AnswerB

The packet counters for both classes are zero, indicating no traffic matched these classes.

Why this answer

The output shows the CoPP policy applied to the control plane. The class-default has traffic, but the specific classes (ICMP and SSH) show zero packets, indicating the access-lists may not be matching traffic or the class-maps are not correctly configured. The correct answer is that the CoPP policy is not matching any packets for the defined classes.

14
MCQmedium

Consider the following CoPP configuration: class-map match-any COPP-ROUTING match protocol ospf match protocol eigrp match protocol bgp ! policy-map COPP-POLICY class COPP-ROUTING police 32000 conform-action transmit exceed-action drop class class-default police 64000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY What is a potential issue with this configuration?

A.The class-map uses match-any instead of match-all, which will cause incorrect matching.
B.The police rate of 32000 bps is too low for routing protocol traffic and may cause adjacency drops.
C.The 'match protocol' command is not supported in CoPP class-maps; only ACLs or DSCP/IP precedence can be used.
D.The policy-map must be applied to the control-plane with the 'output' keyword instead of 'input'.
AnswerC

Correct. CoPP only supports match access-group, match ip dscp, or match ip precedence. match protocol is not allowed.

Why this answer

Using match protocol in a class-map for CoPP is not supported; CoPP only matches on ACLs or DSCP/IP precedence. The policy will not classify routing protocol traffic correctly.

15
MCQeasy

Which CoPP mechanism prevents the CPU from being overwhelmed by control plane traffic?

A.Shaping
B.Policing
C.Queuing
D.Compression
AnswerB

CoPP applies policing to control plane traffic, dropping packets that exceed the configured rate to protect the CPU.

Why this answer

CoPP uses a policer (typically a single-rate two-color or three-color marker) to rate-limit traffic destined to the control plane, dropping packets that exceed the configured rate.

16
MCQmedium

A network engineer configures CoPP on a router to limit ICMP traffic to 5000 bps. After the policy is applied, the engineer notices that the router is not responding to ping requests from a remote network. However, the router can ping other devices successfully. The engineer checks the CoPP statistics and sees that the ICMP class has dropped packets. What is the most likely root cause?

A.The CoPP policy is dropping incoming ICMP echo requests because the police rate is too low.
B.The CoPP policy is dropping outgoing ICMP echo replies because the police rate applies to both directions.
C.The router's interface ACL is blocking incoming ICMP traffic.
D.The router's ICMP rate-limit feature is enabled globally.
AnswerA

Incoming ICMP packets are policed by CoPP, and if the rate is exceeded, they are dropped, preventing the router from responding.

Why this answer

The CoPP policy is rate-limiting ICMP traffic to 5000 bps. Ping requests from the remote network are ICMP echo requests, which are processed by the control plane. If the rate is too low, these packets are dropped, causing the router to not respond to pings.

The router can still originate pings because outgoing ICMP traffic is not subject to CoPP (CoPP applies to incoming control plane traffic).

17
Drag & Dropmedium

Drag and drop the steps to configure a Control Plane Policing (CoPP) policy into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts by identifying traffic with a class-map, then grouping classes in a policy-map, applying actions (e.g., drop), attaching the policy to the control-plane, and finally verifying the configuration. This follows the standard MQC (Modular QoS CLI) workflow.

18
Drag & Drophard

Drag and drop the steps to troubleshoot Control Plane Policing (CoPP) adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting CoPP failures starts by checking if the control-plane policy is applied, then verifying the class-map matches the correct protocol, checking for dropped packets, temporarily disabling CoPP to test, and finally adjusting the policy to permit the necessary traffic. This systematic approach isolates the issue without disrupting the network.

19
MCQeasy

What is the default CoPP policer action for packets that exceed the committed information rate (CIR)?

A.Transmit with best-effort
B.Drop
C.Set DSCP to 0
D.Queue for later transmission
AnswerB

The default policer action for exceeding traffic is to drop the packets.

Why this answer

By default, the CoPP policer uses a single-rate two-color marker where packets exceeding the CIR are dropped.

20
MCQhard

A network engineer notices that BGP sessions between two directly connected routers are flapping every few minutes. The routers are running IOS-XE 17.3 and have CoPP enabled. The engineer checks the CoPP policy and sees a class-map matching BGP packets with a police rate of 8000 bps. The BGP session uses MD5 authentication and the routers exchange a full BGP table with 500,000 prefixes. What is the most likely cause of the BGP session flapping?

A.The BGP MD5 authentication is causing excessive CPU utilization, triggering CoPP drops.
B.The CoPP police rate of 8000 bps is too low for the BGP keepalive and update traffic, causing packet drops.
C.The CoPP class-map is not matching BGP packets correctly because it uses a wrong access-list.
D.The BGP hold timer is set too low, causing the session to reset before CoPP drops are noticed.
AnswerB

BGP with 500,000 prefixes generates significant update traffic, and 8000 bps is insufficient, leading to dropped packets and session flapping.

Why this answer

The CoPP policy is policing BGP control plane packets at a rate of 8000 bps, which is insufficient for the BGP keepalive and update traffic. BGP keepalives are sent every 60 seconds by default, but with 500,000 prefixes, the initial BGP update traffic can easily exceed 8000 bps, causing packets to be dropped and the session to flap.

21
Multi-Selecthard

An engineer must implement CoPP to protect the control plane of a Cisco IOS router from a DoS attack targeting SSH and SNMP. Which TWO configuration changes are required? (Choose TWO.)

Select 2 answers
A.Create an extended ACL that matches TCP port 22 (SSH) and UDP port 161 (SNMP).
B.Apply the CoPP policy under the interface configuration mode using 'service-policy input'.
C.Configure a class-map that matches the ACL created in step A.
D.Apply the CoPP policy under the control-plane configuration using 'service-policy output'.
E.Use the 'police' command with 'conform-action drop' to drop all SSH and SNMP traffic.
AnswersA, C

Correct. ACLs are used to match the specific control plane traffic (SSH and SNMP) for classification.

Why this answer

To protect SSH and SNMP, the engineer must create ACLs to match these protocols, then create a class-map that references the ACLs, and a policy-map that applies a police rate with an appropriate action (e.g., drop for attack traffic). The policy-map must be applied under the control-plane configuration with 'service-policy input'. Applying under a physical interface is incorrect.

Using 'service-policy output' is also incorrect.

22
Multi-Selecthard

Which THREE symptoms indicate that Control Plane Policing (CoPP) might be misconfigured or causing connectivity issues? (Choose THREE.)

Select 3 answers
A.OSPF or BGP neighbors are flapping, with log messages indicating adjacency timeouts.
B.SSH or Telnet sessions to the device are intermittent or time out.
C.CPU utilization remains high despite CoPP being configured.
D.CPU utilization is consistently low, and all control plane traffic is passing without drops.
E.Throughput on data interfaces increases significantly.
AnswersA, B, C

If CoPP drops routing protocol hello packets, neighbors may flap, indicating misclassification or overly restrictive policing.

Why this answer

Symptoms of CoPP misconfiguration include: (1) routing protocol neighbors flapping because CoPP drops hello packets, (2) management access (SSH/Telnet) becoming intermittent due to policing, and (3) high CPU utilization because CoPP is not properly filtering unwanted traffic. Option D (low CPU utilization) is the opposite of a typical CoPP issue. Option E (increased throughput on data interfaces) is unrelated to CoPP affecting the control plane.

23
MCQmedium

Consider the following CoPP configuration: access-list 150 permit tcp any any eq 179 access-list 150 permit udp any any eq 646 ! class-map match-all COPP-CORE match access-group 150 ! policy-map COPP-POLICY class COPP-CORE police 64000 conform-action transmit exceed-action drop class class-default police 128000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY What is missing from this configuration to also protect against ICMP-based control-plane attacks?

A.Add 'permit icmp any any' to access-list 150 to include ICMP in the COPP-CORE class.
B.Change the class-default police rate to 64000 bps to match the COPP-CORE rate.
C.Add a second class-map for ICMP and apply a separate policer.
D.The configuration is complete; ICMP is not a significant control-plane threat.
AnswerA

Correct. Adding ICMP to the ACL would match it in the COPP-CORE class and apply the lower 64000 bps policer, providing better protection.

Why this answer

The ACL only matches BGP (TCP 179) and LDP (UDP 646). ICMP is not included, so ICMP traffic falls into class-default and is only limited to 128000 bps, which may be too high for protection.

24
MCQmedium

A router has a CoPP policy that includes a class-map matching all TCP traffic with a police rate of 5000 bps. The engineer notices that Telnet sessions to the router are timing out, but SSH sessions work fine. The router is configured to accept both Telnet and SSH. What is the most likely cause?

A.The CoPP policy has a separate class for Telnet with a lower police rate or a drop action.
B.The SSH traffic is encrypted, so it uses less bandwidth than Telnet.
C.The Telnet server on the router is not responding due to a configuration error.
D.The CoPP policy is rate-limiting TCP traffic to 5000 bps, which is enough for SSH but not for Telnet.
AnswerA

If Telnet is in a different class with a lower rate or drop, it would explain why Telnet fails while SSH works.

Why this answer

Both Telnet and SSH use TCP, so they should both be affected by the same police rate. However, if the CoPP policy has separate classes for Telnet and SSH, or if the police rate is applied per class, the issue might be that Telnet traffic is being policed more aggressively. Alternatively, the Telnet traffic might be hitting a different class that drops it.

25
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show bgp ipv4 unicast 10.1.1.0/24 BGP routing table entry for 10.1.1.0/24, version 10 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.1.1.2 from 10.1.1.2 (10.1.1.2) Origin IGP, metric 0, localpref 100, valid, external, best Last update: Mon Mar 1 00:05:23 2024 What does this output indicate?

A.BGP is not receiving updates due to CoPP dropping packets.
B.BGP is functioning correctly, and CoPP is not interfering with BGP sessions.
C.BGP is stuck in idle state due to CoPP.
D.BGP is only advertising routes locally.
AnswerB

The route is learned from 10.1.1.2 and is best, indicating BGP is working.

Why this answer

The BGP route for 10.1.1.0/24 is present and valid, with a last update time of 00:05:23. This indicates that BGP updates are being received and processed, suggesting CoPP is not blocking BGP traffic.

26
MCQeasy

What is the default CoPP policy on a Cisco IOS-XE router if no service-policy is applied to the control-plane?

A.All control-plane traffic is rate-limited to 64000 bps.
B.Only management traffic (SSH, Telnet) is rate-limited to 32000 bps.
C.No CoPP policy is applied; all control-plane traffic is processed without rate-limiting.
D.A default policy is applied that drops all traffic exceeding 128000 bps.
AnswerC

Correct. CoPP is not enabled by default.

Why this answer

By default, no CoPP policy is applied. The control-plane processes all traffic without rate-limiting. CoPP must be explicitly configured.

27
MCQhard

A network engineer configures CoPP on a router that is a DMVPN hub. The policy includes a class-map to match NHRP traffic and police it. After deployment, spoke-to-spoke tunnels fail to establish, although spoke-to-hub tunnels work. Which is the most likely explanation?

A.The CoPP policy drops IPsec packets, which are used for spoke-to-spoke encryption.
B.The CoPP policy polices NHRP traffic, causing NHRP redirect packets from the hub to be dropped, so spokes cannot learn each other's addresses.
C.The CoPP policy is applied to the tunnel interface, not the control plane.
D.The CoPP policy uses the default class class-default, which blocks NHRP.
AnswerB

NHRP redirects are essential for spoke-to-spoke communication; policing them breaks the dynamic tunnel setup.

Why this answer

In DMVPN Phase 2, NHRP traffic between spokes is redirected through the hub. If CoPP polices NHRP traffic too aggressively, the NHRP redirect packets from the hub are dropped, preventing spoke-to-spoke tunnel establishment.

28
MCQhard

A router has CoPP configured with a class-map that matches all traffic and polices it to 10000 pps. The router also has IPsec configured for a site-to-site VPN. After applying CoPP, the IPsec tunnel goes up, but traffic through the tunnel is intermittently dropped. Which is the most likely explanation?

A.CoPP drops ESP packets, which are data plane traffic.
B.CoPP drops IKE packets during rekey, causing the IPsec tunnel to fail temporarily.
C.IPsec uses TCP, and CoPP only polices UDP.
D.The CoPP policy is applied to the tunnel interface, not the control plane.
AnswerB

IKE packets are control plane; if dropped, the tunnel may not rekey properly, causing traffic loss.

Why this answer

IPsec uses control plane packets for IKE (UDP 500) and ESP/AH. CoPP polices all traffic to the control plane, including IKE packets. If IKE packets are dropped, the tunnel may rekey incorrectly, causing traffic drops.

Additionally, encapsulated traffic may be subject to CoPP if it hits the control plane.

29
MCQmedium

A router experiences high CPU utilization due to SSH login attempts from an external attacker. The network engineer implements a CoPP policy to rate-limit SSH traffic to 10000 bps. After applying the policy, the engineer notices that legitimate SSH sessions from the management network are also being dropped intermittently. The CoPP policy uses a class-map that matches TCP port 22 traffic. What should the engineer do to fix this issue?

A.Increase the police rate for the SSH class to 100000 bps to allow all SSH traffic.
B.Modify the class-map to match only SSH traffic from the attacker's source IP addresses using an access-list.
C.Create a separate class for legitimate SSH traffic from the management network with a higher police rate, and police the attacker's traffic more aggressively.
D.Remove the CoPP policy and implement an ACL on the interface to block the attacker's IP address.
AnswerC

This allows legitimate SSH sessions to pass while still protecting the control plane from the attacker.

Why this answer

The CoPP policy is rate-limiting all SSH traffic, including legitimate sessions. The engineer should create a more specific class-map that matches only the attacker's source IP addresses or uses a more granular approach, such as matching traffic from the management network with a higher police rate.

30
MCQhard

Which CoPP feature allows the control plane to process packets from a specific source IP address without rate limiting?

A.CoPP aggregate policer
B.Control Plane Protection (CPPr) exception
C.QoS pre-classify
D.Policy-map 'set' action
AnswerB

CPPr allows defining exceptions to bypass CoPP for trusted sources, such as management stations or routing peers.

Why this answer

Control Plane Protection (CPPr) allows the creation of exceptions for specific source IP addresses or subnets using the 'exception' keyword within a class-map.

31
MCQeasy

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-OSPF (match-all) 1000 packets, 60000 bytes 5 minute offered rate 2000 bps, drop rate 0000 bps Match: access-group 140 police: cir 64000 bps, bc 12000 bytes, be 12000 bytes conformed 1000 packets, 60000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, which statement is correct?

A.OSPF packets are being dropped due to exceeding the police rate.
B.OSPF traffic is being transmitted without any drops.
C.The police rate is set to 32000 bps.
D.The class-default is matching OSPF traffic.
AnswerB

All packets are conforming and being transmitted.

Why this answer

The CoPP-OSPF class is matching OSPF traffic and all packets are conforming to the police rate, so no drops are occurring. This indicates that OSPF traffic is being properly rate-limited without any packet loss.

32
MCQmedium

A router running EIGRP has a CoPP policy that includes a class-map matching EIGRP packets with a police rate of 2000 bps. The network engineer notices that EIGRP neighbor adjacencies are flapping. The EIGRP network has 100 routes. The engineer checks the CoPP statistics and sees that the EIGRP class has dropped 500 packets in the last hour. What is the most likely root cause?

A.The EIGRP hello interval is set too low, causing excessive hello packets that exceed the police rate.
B.The CoPP police rate of 2000 bps is insufficient for EIGRP hello and update traffic, causing packet drops.
C.The EIGRP authentication is causing larger packets that exceed the police rate.
D.The CoPP class-map is matching EIGRP packets incorrectly, causing them to be dropped by a default class.
AnswerB

EIGRP packets, though small, can be dropped if the police rate is too low, leading to adjacency flapping.

Why this answer

EIGRP hello packets are small and sent every 5 seconds by default. With 100 routes, the update traffic is also small. However, if the police rate is too low, even small packets can be dropped.

The drop count of 500 packets in an hour indicates that EIGRP packets are being policed, causing adjacencies to flap.

33
MCQmedium

What is the default CoPP classification for ARP packets on a Cisco IOS-XE device?

A.Normal
B.Critical
C.Management
D.Best-effort
AnswerB

ARP is classified as critical to ensure that address resolution is not starved by CoPP.

Why this answer

ARP packets are essential for Layer 2 connectivity and are typically classified as 'critical' in CoPP to prevent ARP spoofing or flooding from disrupting network operations.

34
Multi-Selecthard

Which TWO actions will prevent a CoPP policy from inadvertently dropping legitimate routing protocol packets during a traffic spike? (Choose TWO.)

Select 2 answers
A.Create a class-map that matches routing protocol packets (e.g., OSPF, EIGRP, BGP) and assign a police rate with conform-action transmit and exceed-action drop.
B.Create a class-map that matches routing protocol packets and assign a police rate with conform-action transmit and violate-action transmit.
C.Place routing protocol traffic into a class with a 'drop' action to prevent it from overwhelming the control plane.
D.Use the 'police' command with a high committed information rate (CIR) and burst size, and apply 'conform-action transmit' and 'exceed-action set-dscp cs6'.
E.Apply the CoPP policy only to the 'control-plane host' subinterface, which processes all routing protocol packets.
AnswersB, D

Correct. Using transmit for both conform and violate actions ensures routing protocol packets are never dropped, even during spikes.

Why this answer

To protect routing protocols, CoPP should classify routing protocol traffic into a high-priority class with a conform-action of 'transmit' and a violate-action of 'transmit' (or a high bandwidth guarantee). Using a 'police' with 'conform-action transmit' and 'exceed-action drop' is too aggressive. The 'drop' action in any class that matches routing protocols is dangerous. 'set-dscp' does not prevent drops.

35
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-DEFAULT (match-any) 5000 packets, 300000 bytes 5 minute offered rate 4000 bps, drop rate 2000 bps Match: any police: cir 32000 bps, bc 6000 bytes, be 6000 bytes conformed 3000 packets, 180000 bytes; actions: transmit exceeded 1000 packets, 60000 bytes; actions: drop violated 1000 packets, 60000 bytes; actions: drop Based on this output, what is the most likely impact on the router?

A.All control plane traffic is being transmitted without issues.
B.Some control plane traffic is being dropped, which could cause routing protocol instability.
C.The police rate is set to 64000 bps.
D.Only ICMP traffic is being dropped.
AnswerB

Dropped packets in the class-default can affect critical control plane traffic.

Why this answer

The class-default is matching all traffic not matched by other classes, and it is rate-limiting with a CIR of 32000 bps. Since there are drops, some control plane traffic (e.g., routing updates, management traffic) may be dropped, potentially causing issues like BGP session flapping or SSH timeouts.

36
MCQmedium

In a CoPP policy, what is the effect of the 'violate-action' parameter in the police command?

A.It specifies the action for packets that exceed the conform rate but are within the excess burst.
B.It specifies the action for packets that exceed both the conform rate and the excess burst.
C.It specifies the action for packets that are below the conform rate.
D.It is only used in two-rate policers and is ignored in single-rate policers.
AnswerB

Correct. The violate-action applies to packets that exceed the excess burst (i.e., violate the token bucket).

Why this answer

The violate-action is used in the three-color policer (single-rate or two-rate) to specify the action for packets that exceed the excess burst. If not configured, the exceed-action is used for violate traffic.

37
Multi-Selectmedium

Which TWO commands verify the operational status and packet statistics of a Control Plane Policing (CoPP) policy on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.show policy-map control-plane
B.show control-plane host open-ports
C.show ip interface brief
D.show access-lists
E.show running-config | section policy-map
AnswersA, B

This command displays the CoPP policy applied to the control plane and per-class packet counters, essential for verifying CoPP operation.

Why this answer

The 'show policy-map control-plane' command displays per-class packet statistics (conform/exceed/violate) for the CoPP policy applied to the control plane. The 'show control-plane host open-ports' command lists listening ports and their associated CoPP class maps, aiding in verification. 'show ip interface brief' shows interface status, not CoPP. 'show access-lists' only shows ACL hit counts, not full CoPP statistics. 'show running-config | section policy-map' shows configuration but not operational statistics.

38
MCQmedium

Examine the following CoPP configuration on a Cisco IOS-XE router: !--- ACL to match traffic access-list 100 permit tcp any any eq 22 access-list 100 permit tcp any any eq 23 access-list 100 permit icmp any any echo ! !--- Class-map class-map match-all COPP-MGMT match access-group 100 ! !--- Policy-map policy-map COPP-POLICY class COPP-MGMT police 8000 conform-action transmit exceed-action drop class class-default police 64000 conform-action transmit exceed-action drop ! !--- Apply to control-plane control-plane service-policy input COPP-POLICY What is the effect of this configuration?

A.SSH, Telnet, and ICMP echo packets are rate-limited to 8000 bps; all other control-plane traffic is rate-limited to 64000 bps.
B.Only SSH and Telnet are rate-limited to 8000 bps; ICMP echo is not affected because it is matched by a different class.
C.All control-plane traffic is rate-limited to 64000 bps, because the class-default overrides the COPP-MGMT class.
D.The configuration is invalid because the class-map must be named 'COPP-CLASS' to be used in the policy-map.
AnswerA

Correct. The class COPP-MGMT matches the ACL traffic and applies a 8000 bps policer. The class-default applies a 64000 bps policer to all other traffic.

Why this answer

The policy limits SSH, Telnet, and ICMP echo traffic to 8000 bps, dropping excess. All other control-plane traffic is limited to 64000 bps. This protects the router from control-plane overload.

39
Multi-Selecthard

Which TWO statements correctly describe the behavior of Control Plane Policing (CoPP) when applied to a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.CoPP policies are applied using the Modular QoS CLI (MQC) and can be attached to the control-plane interface with the 'service-policy input' command.
B.CoPP can be applied to the aggregate control plane or separately to the IPv4, IPv6, and MPLS control plane subinterfaces.
C.CoPP policies are applied using the 'policy-map' command under the interface configuration mode for each physical interface.
D.CoPP polices all traffic that enters the router, including traffic that is process-switched after being forwarded.
E.CoPP uses the 'class-map' command to match traffic based on ACLs, NBAR, or DSCP values, and the 'police' command to enforce rate limits.
AnswersA, B

Correct. CoPP uses MQC class-maps and policy-maps, and is applied under the control-plane configuration with 'service-policy input'.

Why this answer

CoPP uses MQC to classify and rate-limit traffic destined to the control plane. The control plane is a separate logical entity, and CoPP policies can be applied to the aggregate control plane or per-subinterface. The 'service-policy input' command is used under the control-plane configuration.

CoPP does not affect traffic that is process-switched after being forwarded; it only polices traffic destined to the control plane itself.

40
MCQmedium

Analyze the following partial configuration: access-list 101 permit tcp any any eq 179 access-list 101 permit udp any any eq 646 access-list 101 permit ospf any any ! class-map match-all COPP-BGP match access-group 101 ! policy-map COPP-POLICY class COPP-BGP police 48000 conform-action transmit exceed-action drop class class-default police 128000 conform-action transmit exceed-action drop ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ! control-plane service-policy input COPP-POLICY Which statement is true?

A.The ACL matches OSPF, BGP, and LDP traffic, and all are rate-limited to 48000 bps.
B.The ACL is missing 'permit eigrp any any' to include EIGRP traffic.
C.The class-map must use 'match-all' to match all protocols simultaneously, but the ACL uses 'permit' which is OR logic, so the class-map will not work.
D.The policy-map should be applied to the interface, not the control-plane.
AnswerA

Correct. The ACL permits OSPF (protocol 89), BGP (TCP 179), and LDP (UDP 646). The class-map matches all three and applies the 48000 bps policer.

Why this answer

The ACL includes OSPF, BGP (TCP port 179), and LDP (UDP port 646). These are all control-plane protocols. The policer rate of 48000 bps may be insufficient for BGP updates but the configuration is valid.

41
Multi-Selecthard

Which THREE commands can be used to verify the operation and effectiveness of a CoPP policy on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.show policy-map control-plane
B.show control-plane
C.show access-lists
D.show ip route
E.show interfaces
AnswersA, B, C

Correct. This command displays the CoPP policy and per-class packet/drop statistics.

Why this answer

Common verification commands for CoPP include 'show policy-map control-plane' to view per-class statistics, 'show control-plane' to see aggregate control plane statistics, and 'show access-lists' to verify that ACLs used in CoPP are matching the intended traffic. 'show ip route' shows routing information, not CoPP statistics. 'show interfaces' shows interface counters, not control plane policing details.

42
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-EIGRP (match-all) 200 packets, 12000 bytes 5 minute offered rate 1000 bps, drop rate 0000 bps Match: access-group 150 police: cir 16000 bps, bc 3000 bytes, be 3000 bytes conformed 200 packets, 12000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop R1# show ip eigrp neighbors EIGRP-IPv4 neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:10:00 1 200 0 5 Based on this output, which statement is correct?

A.EIGRP packets are being dropped, causing neighbor flapping.
B.EIGRP traffic is being rate-limited but no packets are dropped.
C.The police rate is set to 8000 bps.
D.The EIGRP neighbor is not established.
AnswerB

All packets are conforming and transmitted.

Why this answer

The CoPP-EIGRP class is matching EIGRP traffic and all packets are conforming. The EIGRP neighbor is established and stable, indicating that the CoPP policy is not negatively impacting EIGRP.

43
MCQmedium

Examine this CoPP configuration: ip access-list extended COPP-ACL permit tcp any any eq 22 permit tcp any any eq 23 permit icmp any any echo ! class-map match-all COPP-CLASS match access-group name COPP-ACL ! policy-map COPP-POLICY class COPP-CLASS police 10000 1500 1500 conform-action transmit exceed-action drop violate-action drop class class-default police 64000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY What is the effect of the police command in class COPP-CLASS?

A.Traffic is limited to 10000 bps with a burst of 1500 bytes; excess traffic is dropped.
B.Traffic is limited to 10000 bps with a burst of 3000 bytes; excess traffic is dropped.
C.The police command is invalid because it uses three parameters after the rate.
D.Traffic is limited to 10000 bps, but the burst values are ignored because they are not configured in bytes.
AnswerA

Correct. The police command specifies conform rate 10000 bps, normal burst 1500, excess burst 1500. Exceed and violate actions are both drop.

Why this answer

The police command uses a conform rate of 10000 bps, a normal burst of 1500 bytes, and an excess burst of 1500 bytes. Traffic exceeding the burst is dropped (exceed-action drop and violate-action drop).

44
MCQmedium

What is the default action for a CoPP policy-map class that does not have an explicit 'police' command?

A.Drop all packets in that class
B.Transmit all packets in that class
C.Log all packets in that class
D.Apply the default aggregate policer
AnswerB

The default action for a class without a police statement is to permit and transmit all matching traffic.

Why this answer

If a class in a CoPP policy-map has no 'police' action, the default behavior is to transmit all packets matching that class without any policing.

45
Multi-Selectmedium

Which TWO commands are used to troubleshoot Control Plane Policing (CoPP) and identify which traffic is being dropped? (Choose TWO.)

Select 2 answers
A.show policy-map control-plane
B.debug policy-map control-plane
C.show control-plane host open-ports
D.show ip cache flow
E.show access-lists
AnswersA, C

This command displays packet counters for each class in the CoPP policy, including dropped (violate) packets.

Why this answer

The 'show policy-map control-plane' command provides per-class packet counters (conform/exceed/violate) to see drops. The 'show control-plane host open-ports' command helps map open ports to CoPP class maps, aiding in identifying misclassification. 'debug policy-map control-plane' is not a valid command; 'debug policy-map' is used but not specific to control plane. 'show ip cache flow' shows NetFlow data, not CoPP drops. 'show access-lists' shows ACL hit counts but not CoPP-specific drop statistics.

46
MCQhard

A network engineer configures CoPP on a router to limit PIM-SM control plane traffic. The policy includes a class-map matching PIM packets and polices them to 10000 bps. After the policy is applied, the engineer notices that multicast traffic is not being forwarded correctly, and PIM neighbors are not forming. The router is a PIM-SM rendezvous point (RP). What is the most likely issue?

A.The CoPP policy is dropping PIM register messages because the police rate is too low for the burst of register traffic.
B.The CoPP class-map is not matching PIM packets because it uses the wrong protocol number.
C.The PIM hello interval is set too high, causing the router to miss hello packets from neighbors.
D.The CoPP policy is applied to the wrong control plane, such as the IPv6 control plane.
AnswerA

PIM register messages can be large and bursty, and a police rate of 10000 bps may not be sufficient, causing drops and preventing RP functionality.

Why this answer

PIM-SM uses periodic hello messages and register messages that can be large. If the police rate is too low, PIM packets are dropped, preventing neighbor formation and RP discovery. Additionally, the RP might need to process register messages, which can be bursty.

47
MCQmedium

What is the default CoPP behavior for traffic that does not match any class in the policy-map?

A.Dropped
B.Transmitted
C.Logged and dropped
D.Routed to the management plane
AnswerB

The default action for traffic not matching any class is to transmit it, unless a 'class class-default' is configured with a police action.

Why this answer

If a policy-map has no explicit 'class class-default' statement, unmatched traffic is implicitly permitted and transmitted without policing.

48
Multi-Selecthard

Which TWO configuration steps are required to implement Control Plane Policing (CoPP) on a Cisco IOS-XE router? (Choose TWO.)

Select 2 answers
A.Apply the policy map to a physical interface using the 'service-policy input' command.
B.Create a policy map that defines a police action for the classified traffic.
C.Create a class map to match the traffic that should be policed.
D.Configure a 'shape average' command in the policy map to limit traffic rate.
E.Apply the policy map to the control plane using the 'service-policy input' command under the interface configuration mode.
AnswersB, C

A policy map with a 'police' command is required to specify the rate and action for CoPP.

Why this answer

The two mandatory steps are: (1) creating a class map to classify traffic (e.g., matching ACLs or protocols) and (2) creating a policy map that applies a police action to that class. Applying the policy to the control plane is also required but is a separate step; however, the question asks for two steps from the list. Option B (creating a policy map) and Option C (creating a class map) are the fundamental building blocks.

Applying to an interface is incorrect; applying to the control plane is correct but not listed as a separate option here. Option D is incorrect because CoPP uses 'police' not 'shape'. Option E is incorrect because 'service-policy' is applied under control-plane, not interface.

49
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-ICMP (match-all) 100 packets, 6000 bytes 5 minute offered rate 500 bps, drop rate 500 bps Match: access-group 100 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 50 packets, 3000 bytes; actions: transmit exceeded 25 packets, 1500 bytes; actions: drop violated 25 packets, 1500 bytes; actions: drop Based on this output, what is the most likely impact on the router?

A.All ICMP packets are being transmitted without drops.
B.ICMP traffic is being rate-limited, causing some ping requests to fail.
C.The police rate is set to 16000 bps.
D.The class-default is matching ICMP traffic.
AnswerB

Dropped ICMP packets can result in ping loss.

Why this answer

The CoPP-ICMP class is dropping half of the ICMP packets due to exceeding the police rate. This could cause ping failures or traceroute issues from network devices, but it is not necessarily critical for router operation. However, it indicates that ICMP traffic is being rate-limited.

50
MCQhard

An engineer configures CoPP with a class-map that matches all IP traffic and polices it to 10000 pps. The router also has uRPF strict mode enabled on the WAN interface. After applying CoPP, the router stops receiving routing updates from a neighbor, but pings to the neighbor succeed. Which is the most likely explanation?

A.CoPP drops routing updates, causing the routing table to lack the neighbor's source network, so uRPF drops the neighbor's packets.
B.uRPF is applied after CoPP, so CoPP drops the routing updates first.
C.The CoPP policy matches all IP traffic, including uRPF failure packets.
D.Pings succeed because they use a different protocol than routing updates.
AnswerA

uRPF strict mode requires a route back to the source; without it, packets are dropped, including routing updates.

Why this answer

uRPF strict mode drops packets if the source IP is not reachable via the incoming interface. CoPP polices traffic to the control plane, but uRPF is applied before CoPP. If the routing table is incomplete (e.g., due to CoPP dropping routing updates), uRPF may drop valid packets, creating a feedback loop.

51
Multi-Selecthard

Which TWO statements about the 'show policy-map control-plane' command output are true? (Choose TWO.)

Select 2 answers
A.The output displays the number of packets that matched each class in the CoPP policy.
B.The output includes the number of packets dropped by each class due to policing.
C.The output shows the routing table entries that are affected by the CoPP policy.
D.The output displays the CoPP policy applied to each physical interface.
E.The output includes the ARP cache entries that are protected by CoPP.
AnswersA, B

Correct. The command shows per-class packet and byte counters for matched traffic.

Why this answer

The 'show policy-map control-plane' command displays the applied CoPP policy, including per-class statistics such as classified packets, bytes, and drop counts. It shows the policy name, class maps, and actions (police, drop, etc.). It does not show per-interface statistics (that would be 'show policy-map interface'), nor does it show the routing table or ARP cache.

52
MCQhard

A router has CoPP configured with a class-map that matches BGP traffic (TCP port 179) and polices it to 500 pps. The router has multiple iBGP peers. After applying the policy, some BGP sessions flap, but others remain stable. The flapping peers are those with higher latency. Which is the most likely explanation?

A.CoPP drops BGP packets based on source IP, and high-latency peers have different source IPs.
B.High-latency peers generate more TCP retransmissions, which are more likely to be dropped by the police rate, causing session flaps.
C.BGP uses UDP for keepalives, and CoPP only polices TCP.
D.The CoPP policy is applied to the wrong control plane; it should be applied to the forwarding plane.
AnswerB

TCP retransmissions increase with latency, and CoPP may drop them, leading to BGP session failure.

Why this answer

BGP uses TCP keepalives and updates. High-latency peers require more frequent retransmissions due to TCP windowing. CoPP may drop these retransmissions, causing the session to time out.

Lower-latency peers experience fewer drops.

53
Drag & Dropmedium

Drag and drop the steps to verify and validate the operational state of Control Plane Policing (CoPP) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Verification starts with confirming the policy is applied globally, then checking per-class statistics for drops, using show commands to examine packet counters, testing reachability to the control plane, and finally reviewing logs for any CoPP-related messages. This ensures the policy is working as intended.

54
MCQmedium

An engineer applies a CoPP policy to a router to protect the control plane. The policy includes a class-map that matches all ICMP traffic and polices it to 5000 bps. After the policy is applied, the engineer notices that OSPF adjacencies are going down. The OSPF hello packets are not being received. What is the most likely cause?

A.The CoPP policy is policing OSPF packets because the class-map matches all IP traffic, not just ICMP.
B.The CoPP policy has a default class that drops all unmatched traffic, including OSPF packets.
C.The OSPF hello packets are being rate-limited because they are ICMP packets.
D.The CoPP policy is applied to the wrong interface, causing OSPF packets to be dropped.
AnswerB

If the CoPP policy does not explicitly permit OSPF packets, a default drop class will cause OSPF adjacencies to fail.

Why this answer

OSPF uses IP protocol 89, not ICMP. However, if the class-map is misconfigured to match all IP traffic or if there is a default class that drops packets, OSPF packets might be affected. The most likely cause is that the CoPP policy has a default class that drops unmatched traffic, including OSPF packets.

55
MCQhard

An engineer configures CoPP on a router that is a route reflector for iBGP. The policy includes a class-map matching BGP traffic and polices it to 500 pps. After deployment, some iBGP prefixes are missing from the route reflector's table, but the BGP sessions are up. Which is the most likely explanation?

A.CoPP drops BGP keepalive packets, causing the session to reset.
B.CoPP drops BGP update packets from specific clients due to rate limiting, so those prefixes are not learned.
C.The route reflector is configured to ignore certain prefixes.
D.CoPP only affects eBGP, not iBGP.
AnswerB

Update packets are larger and more frequent; they may exceed the police rate.

Why this answer

Route reflectors propagate BGP updates. If CoPP drops incoming BGP updates from a client, the route reflector may not have those prefixes. The session stays up because keepalives are not dropped, but updates are lost.

56
Multi-Selectmedium

Which TWO statements about Control Plane Policing (CoPP) are true? (Choose TWO.)

Select 2 answers
A.CoPP uses Modular QoS CLI (MQC) to define traffic classes and actions.
B.CoPP is applied directly to physical interfaces to protect the control plane.
C.CoPP can be used to rate-limit traffic destined to the CPU, such as routing protocol packets or management traffic.
D.CoPP operates at Layer 2 to filter Ethernet frames before they reach the CPU.
E.CoPP replaces the need for access control lists (ACLs) on the device.
AnswersA, C

CoPP relies on MQC with class maps to match traffic and policy maps to define policing actions.

Why this answer

CoPP applies a QoS service policy to the control plane to rate-limit traffic, protecting the CPU from excessive packets. It uses MQC (class maps and policy maps) to classify and police traffic. CoPP is not applied to interfaces directly; it is applied to the control plane.

It does not filter traffic at Layer 2; it works at Layer 3 and above. CoPP does not replace ACLs; it works alongside them.

57
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-SNMP (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 130 police: cir 32000 bps, bc 6000 bytes, be 6000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop R1# show access-lists 130 Extended IP access list 130 10 permit udp any any eq snmp 20 permit udp any any eq snmptrap Based on this output, what is the most likely reason that no packets are matching the CoPP-SNMP class?

A.The access-list does not include the correct SNMP port numbers.
B.The SNMP traffic is being sent from the router itself, which is not processed through the input control plane policy.
C.The police rate is too low and is dropping all packets before counting.
D.The class-map is using 'match-all' instead of 'match-any'.
AnswerB

Traffic originated by the router (e.g., SNMP traps) is not subject to input CoPP.

Why this answer

The access-list 130 matches SNMP traffic (UDP ports 161 and 162). However, SNMP traffic to the router itself typically uses the control plane, but the access-list may not match if the traffic is sourced from the router (e.g., SNMP traps) or if the source/destination IPs are not 'any'. The most common issue is that the access-list does not specify the direction of traffic, but since it is applied to the control plane input, it should match incoming SNMP requests.

However, if the router is sending SNMP traps, those are output traffic. The problem could be that the access-list is not matching the actual SNMP traffic because the router's own SNMP agent traffic is not subject to CoPP. But the key clue is that the class is not matching any packets, indicating the access-list may not be correct for the traffic type.

58
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show bgp neighbors 10.1.1.2 advertised-routes BGP table version is 10, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.2.2.0/24 0.0.0.0 0 32768 i Total number of prefixes 1 What does this output indicate?

A.BGP is not advertising routes due to CoPP dropping update packets.
B.BGP is advertising routes correctly, and CoPP is not affecting outbound updates.
C.BGP is receiving routes but not advertising them due to CoPP.
D.BGP session is down due to CoPP.
AnswerB

The route is advertised with weight 32768, indicating local origin, and no errors are shown.

Why this answer

The command shows routes advertised to BGP neighbor 10.1.1.2. Only one prefix (10.2.2.0/24) is being advertised. This can be used to verify that CoPP is not preventing route advertisement, though the output does not show any errors.

59
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show ip access-lists CoPP-ACL Extended IP access list CoPP-ACL 10 permit tcp host 10.1.1.1 any eq bgp (100 matches) 20 permit udp any any eq 67 (50 matches) 30 permit icmp any any echo (200 matches) 40 deny ip any any (500 matches) What does this output indicate?

A.The ACL is blocking all BGP traffic from 10.1.1.1.
B.The ACL is permitting DHCP and ICMP echo traffic, but dropping all other traffic.
C.The ACL is applied to the control plane interface and is dropping all traffic.
D.The ACL has a misconfiguration because the deny statement should be at the top.
AnswerB

Lines 20 and 30 permit DHCP and ICMP echo, while line 40 denies everything else, which is typical for CoPP to protect the control plane.

Why this answer

The ACL shows traffic matching various protocols. The 'deny ip any any' at line 40 indicates that all unmatched traffic is being denied, which could be part of a CoPP policy to drop unwanted traffic to the control plane.

60
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show ip ospf interface detail FastEthernet0/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0.0.0.0, Attached via Network Statement Process ID 1, Router ID 10.1.1.1, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.1.1, Interface address 10.1.1.1 Backup Designated router (ID) 10.1.1.2, Interface address 10.1.1.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 25 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.1.1.2 (Backup Designated Router) Suppress hello for 0 neighbor(s) What does this output indicate?

A.OSPF is not forming adjacencies due to CoPP dropping Hello packets.
B.OSPF is operating normally with one neighbor, suggesting CoPP is not impacting OSPF.
C.OSPF is experiencing DR/BDR election issues due to CoPP.
D.OSPF is not receiving Hello packets due to CoPP.
AnswerB

The interface is up, timers are normal, and an adjacency exists.

Why this answer

The detailed OSPF interface output shows that FastEthernet0/0 is operational, with a neighbor count of 1 and an adjacent neighbor (10.1.1.2) as BDR. This indicates OSPF is functioning correctly, and CoPP is not blocking OSPF packets.

61
MCQmedium

Examine this CoPP configuration: ip access-list extended PROTECT-ACL permit tcp any any eq 22 permit tcp any any eq 23 permit tcp any any eq 179 ! class-map match-all PROTECT-CLASS match access-group name PROTECT-ACL ! policy-map PROTECT-POLICY class PROTECT-CLASS police 16000 conform-action transmit exceed-action drop class class-default police 64000 conform-action transmit exceed-action drop ! control-plane service-policy input PROTECT-POLICY What will happen to SSH traffic that exceeds 16000 bps?

A.SSH traffic exceeding 16000 bps is dropped.
B.SSH traffic exceeding 16000 bps is still accepted because SSH is critical.
C.SSH traffic is not affected because the ACL uses 'permit' and the class-map uses 'match-all'.
D.SSH traffic exceeding 16000 bps is sent with a lower priority.
AnswerA

Correct. The exceed-action is drop, so any SSH traffic above the conform rate is dropped.

Why this answer

The policer for class PROTECT-CLASS drops packets that exceed the conform rate. SSH traffic is matched by the ACL and thus subject to the 16000 bps policer.

62
MCQhard

An engineer configures CoPP on a router with the following policy: class-map match-any PROTECT, match protocol ospf, police 1000 pps; class class-default, police 500 pps. After applying, OSPF neighbors form, but the router's CPU utilization remains high. Which is the most likely explanation?

A.The class-default police rate is too low, causing ARP packets to be dropped, but CPU is high due to the policing overhead.
B.OSPF traffic is being policed to 1000 pps, which is too high, causing CPU overload.
C.CoPP only works on hardware-switched platforms, not software.
D.The class-default should have a higher rate than the OSPF class.
AnswerA

Policing itself consumes CPU, and dropping packets may cause retries, increasing CPU.

Why this answer

The class-default police rate of 500 pps is lower than the OSPF class rate of 1000 pps. However, traffic not matching OSPF (e.g., ARP, ICMP) is limited to 500 pps. If such traffic exceeds 500 pps, it is dropped, but the CPU may still be high due to the policing process itself or because OSPF traffic is still allowed at 1000 pps.

The edge case is that the class-default rate may be too low, causing drops of essential traffic like ARP, but the CPU issue persists because the router is still processing the policed packets.

63
MCQhard

A large enterprise network is experiencing intermittent BGP session resets between R1 and R2. R1 has the following relevant configuration: ! R1 control-plane service-policy input CoPP ! access-list 100 permit tcp any any eq bgp class-map match-all BGP-CLASS match access-group 100 ! policy-map CoPP class BGP-CLASS police 8000 conform-action transmit exceed-action drop class class-default police 1000000 conform-action transmit exceed-action drop ! R2 shows: R2#show ip bgp summary BGP router identifier 2.2.2.2, local AS number 65002 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 1.1.1.1 4 65001 12345 12345 0 0 0 00:02:34 0 What is the root cause?

A.The BGP session is flapping because the CoPP policy drops BGP keepalive packets when the police rate is exceeded.
B.The access-list 100 is misconfigured; it should match TCP port 179 specifically.
C.The class-default police rate is too low, causing all traffic to be dropped, including BGP.
D.The CoPP policy should be applied to the control-plane input direction, but the service-policy is missing the 'control-plane' keyword.
AnswerA

BGP keepalives are small, but if the overall BGP traffic (including updates) exceeds 8000 bps, the policer drops packets, causing keepalive loss and hold timer expiry.

Why this answer

The CoPP policy is policing BGP traffic to 8000 bps. If the BGP session carries a full routing table, the update messages can exceed this rate, causing drops. The router drops packets, leading to BGP hold timer expiry and session resets.

The fix is to increase the police rate for BGP traffic or use a more specific match to avoid policing keepalives.

64
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show bgp neighbors 10.1.1.2 received-routes BGP table version is 10, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.3.3.0/24 10.1.1.2 0 100 0 i Total number of prefixes 1 What does this output indicate?

A.BGP is not receiving any routes due to CoPP dropping updates.
B.BGP is receiving routes correctly, and CoPP is not interfering with inbound updates.
C.BGP is receiving routes but not installing them in the routing table due to CoPP.
D.BGP session is flapping due to CoPP.
AnswerB

The route is received from neighbor 10.1.1.2 with valid attributes.

Why this answer

The command shows routes received from BGP neighbor 10.1.1.2. One prefix (10.3.3.0/24) is being received. This indicates that BGP updates are being received, so CoPP is not blocking inbound BGP traffic.

65
MCQhard

An engineer configures CoPP on a router running EIGRP. The policy includes a class-map matching EIGRP traffic with a police rate of 1000 pps. After applying the policy, EIGRP neighbors form but occasionally go active and become stuck-in-active (SIA). Which is the most likely explanation?

A.EIGRP uses multicast, and CoPP cannot police multicast traffic.
B.The police rate in pps is too low, causing EIGRP reliable packets (queries/replies) to be dropped, leading to SIA.
C.CoPP only affects incoming traffic, but EIGRP SIA is caused by outgoing packet drops.
D.EIGRP uses TCP, and CoPP only polices UDP.
AnswerB

EIGRP's reliable transport requires all packets to be acknowledged; drops cause retransmissions and potential SIA.

Why this answer

EIGRP uses reliable transport for updates and queries. If CoPP drops EIGRP packets, queries may be lost, causing the neighbor to wait for a reply and eventually go SIA. The police rate may be too low for the query/reply traffic during convergence.

66
MCQeasy

Which of the following is NOT a valid match criterion for a class-map used in Control Plane Policing?

A.match access-group
B.match ip dscp
C.match protocol
D.match ip precedence
AnswerC

Correct. match protocol is not supported in CoPP; only ACLs, DSCP, or IP precedence are allowed.

Why this answer

CoPP supports match access-group (ACL), match ip dscp, and match ip precedence. match protocol is not supported in CoPP class-maps.

67
MCQhard

What is the default CoPP aggregate policer rate for control plane traffic on a Cisco IOS-XE device?

A.32000 bps
B.75000 bps
C.No default rate; CoPP is disabled by default
D.128000 bps
AnswerC

CoPP is not enabled by default on Cisco IOS-XE; the administrator must configure a policy-map and apply it to the control plane.

Why this answer

Cisco IOS-XE does not have a default CoPP aggregate policer rate; CoPP is not enabled by default and must be manually configured with a policy-map and class-map.

68
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show policy-map control-plane input class class-default Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any police: cir 1000000 bps, bc 31250 bytes, be 31250 bytes conformed 0 packets, 0 bytes; actions: transmit violated 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps, violated 0 bps What does this output indicate?

A.The CoPP policy is dropping all traffic due to a misconfigured CIR.
B.The CoPP policy is not matching any traffic, indicating a possible ACL or class-map misconfiguration.
C.The CoPP policy is working correctly and policing traffic at 1 Mbps.
D.The CoPP policy is only applied to the output direction.
AnswerB

The class-default matches all traffic, but zero packets have been seen, suggesting the policy may not be applied correctly or the interface is idle.

Why this answer

The command shows the CoPP policy applied to the control plane input for the default class. The output indicates that no traffic has matched this class, meaning all control plane traffic is being policed at a rate of 1 Mbps, with conforming traffic transmitted and violating traffic dropped.

Ready to test yourself?

Try a timed practice session using only Control Plane Policing (CoPP) questions.