Control-Plane Protection (CPPr) VS Control-Plane Policing (CoPP)

#To see the open ports on Control plane 

show control-plane host open-ports

Control plane Duties :
1.Packets are not CEF switched, meaning the CPU has to take some time handle these packets.
2.Maintains keep-alives for routing adjacencies.
3.Handle traffic directed at the device itself. (SNMP/SSH, management traffic.)

Control-Plane Protection (CPPr) VS Control-Plane Policing (CoPP).
[A].CPPR : Allows to control the individual control-plane sub-interfaces directly.
   1.Host : Handles traffic destined for the router or its own interfaces. IE: EIGRP iBGP
   2.Transit : Handles software switched IP traffic. Ex :ICMP unreachable/redirects .
   3.CEF-Exception : Handles non-IP related packets such as ARP, LDP, Layer 2 keepalives along with some routing protocol traffic. (OSPF eBGP)

Sample Configurations Of a CPPr Policy-Map.Protect Router in the Control plane subinterfaces
show control-plane host open-ports

Procedure : ACLs->Class-Maps ->Policy Maps-> Policy Assignment for the three subinterfaces.

1.Create a few ACL’s called “Mgmt_Stuff” and “Route_Proto” to match our traffic.
ip access-list extended Mgmt_Stuff
permit udp any any eq snmp
permit tcp any any eq 22
ip access-list extended Route_Proto
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any

2.Lets put those ACLs inside a few Class-Maps called “CM_Mgmt” and “CM_Route_Prot
class-map match-all CM_Mgmt
match access-group name Mgmt_Stuff
class-map match-all CM_Route_Prot
match access-group name Route_Proto

3.Include the Class-Maps within Policy-Maps called “PM_Mgmt” and “CM_Mgmt” define our actions.
policy-map PM_Mgmt
class CM_Mgmt
police 10000 2000 conform-action transmit exceed-action drop violate-action drop
policy-map PM_Route_Prot
class CM_Route_Prot
police 8000 2000 conform-action transmit exceed-action transmit violate-action transmit

4.We apply a service-policy refering the Policy map.
control-plane host #Apply for Host Sub interface .
service-policy input PM_Mgmt
control-plane cef-exception #Apply for “CEF-Exception” subinterface.
service-policy input PM_Route_Port

show policy-map control-plane

[B] CoPP : Controls/limits access to the entire control-plane via below subinterfaces acting as a MUX.
Sample Configuration of a CoPP Policy Map.Protect Router in a level above the Control plane subinterfaces.
Procedure : Policy Map + Class Map -> Policy Assignment .

1. Combine our two separate policy-maps earlier .
policy-map Copp_Agg
class CM_Mgmt
police 10000 2000 conform-action transmit exceed-action drop violate-action drop
class CM_Route_Prot
police 8000 2000 conform-action transmit exceed-action transmit violate-action transmit

2.Apply the Policy-Map to aggregate control-plane.
conf t
service-policy input copp_Agg

show policy-map control-plane
show control-plane host open-ports


Delay and litter-sensitive traffic still suffers, even when enough bandwidth has been reserved by CBWFQ, because the scheduler can serve other queues when a VoIP or video packet is waiting in a queue.
it is not advised for Voice and Video traffic.CBWFQ will be used with Low Latency Queuing (LLQ) to deploy voice and video traffic to give strict priorities.

LLQ is adding Priority Queueing to the CBWFQ. The Priority Queue is used only for Voice / Video or mission critical traffic, without having the Queue Starvation for other Queues.

In the Software Queue there is a WFQ Scheduler, and you define the traffic classes using the class-maps where each traffic class (Queue) will get its minimum guaranteed bandwidth.
However within each of this Queue the packets are forwarded using the FIFO approach. Bandwidth can be configured as below .
1. In Kbps
2. Percentage of Bandwidth
3. Percentage of remaining Bandwidth.

If a packet does not match any of the configured classification, the packet is placed into the class-default queue.
Enabling CBWFQ on a physical interface overrides the default interface queueing method. Enabling CBWFQ on an ATM PVC does not override the default queueing method.
CBWFQ is not supported on subinterfaces.

The below setting is optional .We do not need to set the quesue size.Default is fine.
Router(config-pmap-c)# queue-limit 30

Read more about traffic Shaping (References)



About Cisco Network Engineer

A Network Engineer battling with technology every moment.
This entry was posted in Routing. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s