Notes - CoPP (IOS-XE)

Control plane policing (CoPP) is essentially just the ability to apply a policy-map to the router’s CPU. The idea is that control plane and management plane traffic are processed in the CPU, so overwhemling the router with control/mgmt plane traffic can be a form of DoS attack. To protect against this, we can limit this traffic using MQC style QoS policies that are applied to the CPU itself.

For example, the following config limits control plane protocols to 20 pps, Telnet to 10 pss and ICMP to 5 pps.

ip access-list ext ROUTING-PROTOCOLS-ACL
 permit tcp any any eq 179
 permit tcp any eq 179 any
 permit ospf any any
!
class-map ROUTING-PROTOCOLS-CM
 match access-group name ROUTING-PROTOCOLS-ACL
!
!
ip access-list ext MGMT-PROTOCOLS-ACL
 permit tcp any any eq 23
 permit tcp any eq 23 any
!
class-map MGMT-PROTOCOLS-CM
 match access-group name MGMT-PROTOCOLS-ACL
!
!
ip access-list ext ICMP-ACL
 permit icmp any any
!
class-map ICMP-CM
 match access-group name ICMP-ACL
!
!
policy-map COPP
 class ROUTING-PROTOCOLS-CM
  police rate 20 pps
 class MGMT-PROTOCOLS-CM
  police rate 10 pps
 class ICMP-CM
  police rate 5 pps
!
control-plane
 service-policy input COPP

The policy-map counters can be verified as follows:

We can see that ICMP is rate limited to 5 pps. The burst value is 1 which seems to explain why only one ping gets through per second:

In summary, CoPP is simply the practice of applying QoS policing to the CPU, as if the CPU was a virtual interface.

CoPP vs. MPP

With MPP there is more risk, since you can lock yourself out of an interface or protocol entirely.

With CoPP, it seems safer because you can let packets hit the class-default and permit. You also have more granular control in terms of source IP and rate limiting instead of completely dropping. But you have to be careful with CoPP because it impacts routing protocol traffic, while MPP does not.