The router's CPU handles routing protocols (BGP, OSPF), management traffic (SSH), and TTL-expired messages. Attackers flood these protocols to exhaust the CPU, causing the router to drop from the network. CoPP rate-limits traffic destined for the router itself.
CoPP divides traffic into classes: Critical (BGP, OSPF), Important (SSH, SNMP), Normal (ICMP echo), and Undesirable (malformed packets). Each class is assigned a specific policer to ensure critical routing updates are never dropped during an attack.
💡 Pro-tip: Never apply a blanket rate limit to all control plane traffic. If you limit BGP keepalives too aggressively, your BGP sessions will flap, causing massive routing instability across the internet.
This command binds the QoS policy directly to the router's virtual Control Plane interface, filtering packets before they ever consume CPU cycles.
MPP takes CoPP further by restricting management protocols (SSH, HTTPS) to specific physical interfaces. This ensures that even if an attacker is on the data plane, they cannot attempt to brute-force the router's management interface.
⚠️ Misconfiguring CoPP is the #1 cause of self-inflicted router outages. Always test policies in a lab and monitor CPU drops via show policy-map control-plane before deploying to production cores.
| Traffic Class | Example | Action |
|---|---|---|
| Critical | OSPF, BGP | Rate limit high, guarantee delivery |
| Important | SSH, HTTPS | Rate limit moderate |
| Undesirable | IP Options, Fragments | Drop aggressively |
Verify exercises to earn ★ 230 XP and unlock next lab level.