CoPP (Control Plane Policing)

On our routers (or multilayer switches) we can use access-lists or firewalls (CBAC or zone
based) to permit/deny packets that go through or to the router.

We can also use policing to rate limit that goes through our router.

What if we want to police traffic that is destined to the router? There are quite some protocols
that produce packets that the router has to process:

 Routing protocols like OSPF, EIGRP, or BGP.

 Gateway redundancy protocols like HSRP, VRRP, or GLBP.
 Network management protocols like telnet, SSH, SNMP, or RADIUS.
 Packets that CEF can’t forward.

The route processor inspects packets that these protocols generate on the control plane. When
the route processor receives too many packets, it’s possible that it can’t keep up and drops
packets.

When this happens, you’ll see things like flapping neighbor adjacencies or timeouts when
you try to connect with telnet/SSH to the router.

To prevent this from happening, we have a couple of options:

 rACLs (Receive Access Control List): these are standard or extended ACL that
control traffic sent by line cards to the route processor. You only see this feature on
high-end routers like the Cisco 12000 series.
 Control Plane Policing (CoPP): allows you to use MQC (Modular Quality of
Service) framework to permit/deny or rate-limit traffic that goes to the route
processor.
 Control Plane Protection (CPPr): this is an extension of CoPP. One of the things it
does is separating the route processor into three sub-interfaces:
o host
o transit
o CEF exception

In this lesson, we’ll take a look at CoPP (Control Plane Policing).

Configuration
To demonstrate CoPP, I use the following topology:
Here’s what we have:

 R1 and R2 run OSPF and HSRP.

 R1 is configured for remote access through telnet.
 H1 is a host that generates ICMP and telnet traffic to test CoPP on R1.

Want to take a look for yourself? Here you will find the startup configuration of each device.

Control plane policing uses the MQC so that means we have to use class-maps and a policy-
map. In your class-maps, it’s best to match traffic on:

 standard or extended access-lists

 DSCP or IP precedence values.
NBAR classification is not supported on all platforms and or IOS versions. The only
exception to this rule is match protocol arp

Let’s create some access-lists that match traffic on the control plane that we can use in our
class-maps:

R1(config)#ip access-list extended ICMP

R1(config-ext-nacl)#permit icmp any any
R1(config)#ip access-list extended TELNET
R1(config-ext-nacl)#permit tcp any any eq 23
R1(config)#ip access-list extended OSPF
R1(config-ext-nacl)#permit ospf any any
R1(config)#ip access-list extended HSRP
R1(config-ext-nacl)#permit udp any host 224.0.0.102 eq 1985

Let’s create class-maps that match the access-lists:

R1(config)#class-map ICMP
R1(config-cmap)#match access-group name ICMP
R1(config)#class-map TELNET
R1(config-cmap)#match access-group name TELNET
R1(config)#class-map OSPF
R1(config-cmap)#match access-group name OSPF
R1(config)#class-map HSRP
R1(config-cmap)#match access-group name HSRP

Now I can create a policy-map:

R1(config)#policy-map COPP
R1(config-pmap)#class ICMP
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action
transmit
R1(config-pmap-c)#exit
R1(config-pmap)#class TELNET
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action
transmit
R1(config-pmap-c)#exit
R1(config-pmap)#class OSPF
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action
transmit
R1(config-pmap-c)#exit
R1(config-pmap)#class HSRP
R1(config-pmap-c)#police 8000 conform-action transmit exceed-action
transmit
R1(config-pmap-c)#exit

In the policy-map, I add policers for 8000 bps and the conform-action and exceed-action are
both set to transmit. These policers will never drop anything but there is a good reason I
configure it like this.

When you configure CoPP for the first time, you don’t know how much packets you receive
for each protocol. There is a risk that you deny legitimate traffic. It’s best to permit
everything. Once you know how much packets are exceeding, change the values and set the
exceed action to drop.
We need to attach this policy-map to the control plane. We do this with the following
command:

R1(config)#control-plane
R1(config-cp)#?
Control Plane configuration commands:
exit Exit from control-plane configuration mode
no Negate or set default values of a command
service-policy Configure QOS Service Policy

When you choose the service-policy command, you have a couple of options:

R1(config-cp)#service-policy ?
input Assign policy-map to the input of an interface
output Assign policy-map to the output of an interface
type type of the policy-map

You can enable the policy-map in- or outbound. Type can be used if you want to log
incoming packets.

I want to police incoming traffic destined to the router so let’s select the input option:

R1(config-cp)#service-policy input COPP

Once you do this, you’ll see that the feature is enabled:

R1#
%CP-5-FEATURE: Control-plane Policing feature enabled on Control plane
aggregate path

Ok nice, now what? Let’s figure out if our policy-map is working or not. I’ll generate some
traffic from H1. Let’s send some pings and try telnet:

H1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/10 ms
H1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

Let’s take a look at R1:

R1#show policy-map control-plane

Control Plane

Service-policy input: COPP

Class-map: ICMP (match-all)

5 packets, 570 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name ICMP
police:
cir 8000 bps, bc 1500 bytes
conformed 5 packets, 570 bytes; actions:
transmit
 exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps

Class-map: TELNET (match-all)

17 packets, 1026 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name TELNET
police:
cir 8000 bps, bc 1500 bytes
conformed 17 packets, 1026 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps

Class-map: OSPF (match-all)

25 packets, 2318 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name OSPF
police:
cir 8000 bps, bc 1500 bytes
conformed 25 packets, 2318 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps

Class-map: HSRP (match-all)

56 packets, 5094 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name HSRP
police:
cir 8000 bps, bc 1500 bytes
conformed 56 packets, 5094 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps

Class-map: class-default (match-any)

6 packets, 1544 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

The output above is looking good; we see some matches in every class-map that we
configured and all traffic is conformed. In my lab, there isn’t much traffic.

In a production network, you might want to run it like this for a few days to see how much of
your traffic is conformed or exceeded.

What about the class-default class-map? This includes all layer two protocols. The only
layer two protocol you can assign to a different class-map is ARP. Everything else is assigned
to class-default.

Our policy-map is up and running but even exceeding traffic is permitted. Let’s change the
exceed action for our ICMP traffic:
Let’s add a policer to the ICMP class-map:

R1(config)#policy-map COPP
R1(config-pmap)#class ICMP
R1(config-pmap-c)#police cir 8000 conform-action transmit exceed-action
drop

The police rate is only 8000 bits so even some simple pings will be rate limited. Let’s
generate some traffic from H1:

H1#ping 192.168.1.1 repeat 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!
Success rate is 94 percent (47/50), round-trip min/avg/max = 2/4/13 ms

Let’s take another look at the policy-map:

R1#show policy-map control-plane input class ICMP

Control Plane

Service-policy input: COPP

Class-map: ICMP (match-all)

55 packets, 6270 bytes
5 minute offered rate 1000 bps, drop rate 0000 bps
Match: access-group name ICMP
police:
cir 8000 bps, bc 1500 bytes
conformed 52 packets, 5928 bytes; actions:
transmit
exceeded 3 packets, 342 bytes; actions:
drop
conformed 1000 bps, exceeded 0000 bps/code>

Above we can see that three packets exceeded and got dropped. You have now seen
everything you need to create control plane policing policy-maps for your routers.

Want to take a look for yourself? Here you will find the configuration of each device.

Conclusion
You have now learned how to use CoPP (Control Plane Policing) to rate limit packets to and
from the route processor on the control plane.

 For classification, use:

o standard or extended access-lists
o DSCP or IP precedence values
o Don’t use NBAR except to match ARP packets.
 It’s best to set the conform-action and exceed-action both to transmit, so you don’t
drop legitimate traffic. Once you know how much packets are exceeding, change the
values and exceed action to drop.

I hope you enjoyed this lesson. If you have any questions feel free to leave a comment!