Information About Control Plane Policing; Benefits Of Control Plane Policing; Control Plane Terms To Understand; Control Plane Policing Overview - Cisco ASR 920 Series Configuration Manual

Information About Control Plane Policing

MQC Restrictions
The Control Plane Policing feature requires the Modular QoS CLI (MQC) to configure packet classification
and traffic policing. All restrictions that apply when you use the MQC to configure traffic policing also apply
when you configure control plane policing. Only one MQC command is supported in policy maps—police.
Match Criteria Support
Only the extended IP access control lists (ACLs) classification (match) criteria is supported.
Information About Control Plane Policing

Benefits of Control Plane Policing

Configuring the Control Plane Policing feature on your Cisco router or switch provides the following benefits:
• Protection against DoS attacks at infrastructure routers and switches
• QoS control for packets that are destined to the control plane of Cisco routers or switches
• Ease of configuration for control plane policies
• Better platform reliability and availability

Control Plane Terms to Understand

On the router, the following terms are used for the Control Plane Policing feature:
• Control plane—A collection of processes that run at the process level on the Route Processor (RP).
• Forwarding plane—A device that is responsible for high-speed forwarding of IP packets. Its logic is

Control Plane Policing Overview

To protect the control plane on a router from DoS attacks and to provide fine-control over the traffic to the
control plane, the Control Plane Policing feature treats the control plane as a separate entity with its own
interface for ingress (input) and egress (output) traffic. This interface is called the punt/inject interface, and
it is similar to a physical interface on the router. Along this interface, packets are punted from the forwarding
plane to the RP (in the input direction) and injected from the RP to the forwarding plane (in the output direction).
A set of quality of service (QoS) rules can be applied on this interface (in the input direction) in order to
achieve CoPP.
These QoS rules are applied only after the packet has been determined to have the control plane as its
destination. You can configure a service policy (QoS policy map) to prevent unwanted packets from progressing
QoS: Policing and Shaping Configuration Guide (Cisco ASR 920 Series)
30
These processes collectively provide high-level control for most Cisco IOS XE functions. The traffic
sent to or sent by the control plane is called control traffic.
kept simple so that it can be implemented by hardware to do fast packet-forwarding. It punts packets
that require complex processing (for example, packets with IP options) to the RP for the control plane
to process them.
Control Plane Policing