topic Re: CoPP Port-Filtering (Cppr) Causing DHCP Failure on Outside Interfa in Network Security

CoPP Port-Filtering (Cppr) Causing DHCP Failure on Outside Interface

mustafa.chapal — Thu, 13 Nov 2025 21:16:10 GMT

Hello,

I have configured the Control Plane CoPP Port-Filtering (Cppr) feature on a Cisco ISR 890 Series Router running IOS 15.8(3)M9 to stop the router from responding with closed status on all closed or non-existent TCP/UDP ports.

Here is the configuration I applied:

class-map type port-filter match-any closed
match closed-ports

policy-map type port-filter closed
class closed
drop

control-plane host
service-policy type port-filter input closed

After applying this configuration, the router’s outside interface, which is configured with ip address dhcp, stopped receiving an IP address from the DHCP server. It seems this port-filtering setup is interfering with DHCP communication (UDP ports 67 and 68).

My questions are:

Is there a way to exclude specific ports (like UDP 67/68) from this port-filtering configuration?
If not, is there a workaround to allow the interface to obtain a DHCP IP address while still preventing the router from responding on all other closed/non-existent ports?

Any guidance or configuration examples would be greatly appreciated.

Thank you

Re: CoPP Port-Filtering (Cppr) Causing DHCP Failure on Outside Interfa

Ben Weber — Thu, 13 Nov 2025 23:02:19 GMT

I would suggest using an ACL to allow the DHCP traffic to the router control plane.

1. Create an ACL that will match DHCP traffic.

2. Create a new class-map that will match the ACL.

3. Reference this class-map under the existing policy-map and set the action to pass.

4. Apply the updated policy-map to the control plane.

Good luck!

Re: CoPP Port-Filtering (Cppr) Causing DHCP Failure on Outside Interfa

mustafa.chapal — Fri, 14 Nov 2025 07:05:03 GMT

To exclude or pass DHCP ports

If I add another port-filter class map for dhcp ports, the port-filter policy map does not give any police option under that class

class-map type port-filter match-any open match port udp 67 68 policy-map type port-filter closed class open ? Policy-map class configuration commands: drop Drop Control Plane traffic exit Exit from class action configuration mode log Log IPv4 and ARP packets no Negate or set default values of a command

If I try to add a regular class map for dhcp ports, the port-filter policy map does not allow that regular class to be added

ip access-list extended dhcp permit udp any any eq 67 permit udp any any eq 68 class-map match-any dhcp match access-group name dhcp policy-map type port-filter closed class dhcp % class dhcp of type default is not allowed in policy-map closed of type port-filter

Re: CoPP Port-Filtering (Cppr) Causing DHCP Failure on Outside Interfa

mustafa.chapal — Thu, 20 Nov 2025 08:55:28 GMT

I was able to resolve this issue by modifying the class-map to explicitly exclude DHCP ports. The updated configuration is:

class-map type port-filter match-all closed match closed-ports match not port udp 67 68

After applying this change, the router’s outside interface was able to successfully obtain an IP address from the DHCP server while still enforcing port-filtering on all other closed or non-existent ports.

This approach ensures that DHCP traffic (UDP 67/68) is allowed through, preventing interference with IP address assignment, while maintaining the security benefits of Control Plane Port-Filtering on all other ports.