CoPP - Best practices and operation

Control Plane Policing (CoPP) is a feature that applies filtering and rate limiting of control plane traffic on a Cisco device.

CoPP is used to protect devices from intentional attacks such as Denial of Service (DoS) attacks, from misconfigurations that may cause excessive control plane traffic, or from unpredictable increases in traffic on the control plane. If CoPP is not configured, any of these situations may result in a network device becoming overwhelmed and non-functional. For this reason, CoPP should always be deployed on production network devices.

Yes, all network protocols can be potential attack vectors in a DoS attack. This can include routing protocols such as OSPF, EIGRP, and BGP, as well as others including ICMP, ARP, and even Telnet and SSH. However the effectiveness of an attack leveraging these protocols depends on the target system itself and its vulnerabilities. It also depends upon the scale of deployment of a particular protocol in a particular network. Some protocols are more frequently used or can be more effective in DoS attacks due to their inherent characteristics or widespread deployment.

CoPP should be applied to protect a device from attacks or malfunctions that may occur using protocols that may or may not be in use on the device itself. Remember that any packet that is destined to a network device, regardless of the upper layer protocol, will still need to be processed. For example, if a switch that’s not running BGP receives a BGP message destined for itself, it must still receive it, decapsulate it, and discover that it is a BGP message to discard it. This still takes some processing power… potentially less than if the device was running BGP, but still, packets must be processed. So you should take that into consideration as well.