
[Control Plane Policing (CoPP)](/control-plane-policing-copp) is a feature that applies filtering and rate limiting of [control plane](/network-control-plane) traffic on a Cisco device.  

CoPP is used to protect devices from intentional attacks such as Denial of Service (DoS) attacks, from misconfigurations that may cause excessive control plane traffic, or from unpredictable increases in traffic on the control plane.  If CoPP is not configured, any of these situations may result in a network device becoming overwhelmed and non-functional.  For this reason, CoPP should always be deployed on production network devices.

Yes, all network protocols can be potential attack vectors in a DoS attack.  This can include [routing](/routing) protocols such as [OSPF](/ospf), [EIGRP](/eigrp), and [BGP](/bgp), as well as others including [ICMP](/icmp), [ARP](/arp), and even [Telnet](/telnet) and [SSH](/ssh).  However the effectiveness of an attack leveraging these protocols depends on the target system itself and its vulnerabilities. It also depends upon the scale of deployment of a particular protocol in a particular network. Some protocols are more frequently used or can be more effective in DoS attacks due to their inherent characteristics or widespread deployment.

CoPP should be applied to protect a device from attacks or malfunctions that may occur **using protocols that may or may not be in use on the device itself**.  Remember that any packet that is destined to a network device, regardless of the [upper layer protocol](/osi-model), will still need to be processed. For example, if a switch that’s not running BGP receives a BGP message destined for itself, it must still receive it, decapsulate it, and discover that it is a BGP message to discard it. This still takes some processing power… potentially less than if the device was running BGP, but still, packets must be processed. So you should take that into consideration as well.

Links:

https://networklessons.com/cisco/ccie-routing-switching-written/copp-control-plane-policing

https://forum.networklessons.com/t/copp-control-plane-policing/4602/48?u=lagapidis

CoPP - Best practices and operation

Certificate Authority Structure

Certification Cisco exam topics blueprint

Certifications - Continuing Education Credits

Certifications - online remote proctored exams

Cisco ASA Active-Active

Cisco ASA Active-Standby failover preemption

Cisco ASA Active-Standby

Cisco ASA HTTPS server

Cisco ASA show listening ports

Cisco Anyconnect SSL WebVPN

Cisco CCDE practice lab example

Cisco CCDE technology

Cisco CCDE

Cisco Context-Based Access Control (CBAC)

Cisco Discovery Protocol (CDP)

Cisco Feature Navigator

Cisco IOS Auth Manager

Cisco IOS Firewall feature set

Cisco IOS Order of Operation

Cisco IOS show listening ports

Cisco IOS test aaa command

Cisco Identity Services Engine (ISE)

Cisco Network Data Platform (NDP)

Cisco Pagent Router

Cisco QoS HCF shaper and bandwidth inheritance

Cisco Quantum Flow Processor

Cisco SD-Access home lab

Cisco SD-WAN IPSec encapsulation on tunnel interface of vBond

Cisco SD-WAN Troubleshooting

Cisco SD-WAN backup vManage NMS configuration database

Cisco SD-WAN controller troubleshooting

Cisco SD-WAN export configs and files

Cisco SD-WAN export with python

Cisco SD-WAN lab options

Cisco SD-WAN rebranding

Cisco SD-WAN request upload

Cisco SD-WAN save command

Cisco SD-WAN scp command

Cisco SD-WAN vEdge Troubleshooting

Cisco SD-WAN vManage tail log

Cisco SD-WAN verify connectivity in Service VPN

Cisco SD-WAN viptela overlay network bringup

Cisco's various lines of network switches

Classification and Marking of softphone applications

Cloud Service Model - Middleware

Cloud Service Model - Runtime

Cloud Service Models

Cloud service models - IaaS

Cloud service models - SaaS

Configuration Register

Control Plane Policing (CoPP)

Control Plane Protection

DHCP - Broadcast flag

DHCP - Cisco Client ID format

DHCP - Client ID

DHCP - DHCPv6 and the default gateway

DHCP - Message Types

DHCP - Static binding use cases

DHCP - Using the MAC as the client ID on a Cisco device

DHCP Auto Image Update support

DHCP DORA process

DHCP Request message sent as broadcast

DHCP Snooping on a multi-switch topology

DHCP client options on Cisco IOS

DHCP decline message

DHCP excluding address on a Cisco IOS DHCP server

DHCP multiple IP helper-addresses

DHCP multiple servers on the same subnet

DHCP offer message sent as broadcast

DHCP option 82

DHCP relay agent

DHCP relay support for MPLS VPN

DHCP renewal rebinding

DHCP snooping rate limiting best practice

DHCP trusted and untrusted ports

DHCP

DHCPv6 - determining the IPv6 prefix assigned to an interface

DHCPv6 lease times on a Cisco IOS device

DHCPv6 relay agent

DMVPN - IPsec encryption order of operations

DMVPN - NHRP purge request

DMVPN - NHRP session attributes

DMVPN - OSPF and multiple areas

DMVPN - Phase 2 BGP peerings

DMVPN - Phase 2 EIGRP neighbor adjacencies

DMVPN - Phase 2 OSPF neighbor adjacencies

DMVPN - Phase 2 and multicast traffic

DMVPN - Phase 2 and summarization

DMVPN - Using the GRE tunnel key

DMVPN - What is the best routing protocol to use

DMVPN - mappings on hub and spokes

DMVPN - multicast commands

DMVPN - nhrp map and nhs command syntax

DMVPN - spoke redundancy

DMVPN - using a default route

DMVPN State of a tunnel

DMVPN dual hub dual cloud

DMVPN dual hub single cloud

DMVPN hierarchical topology