Solved: Re: CoPP Port-Filtering (Cppr) Causing DHCP Failure on Outside Interfa

mustafa.chapal · ‎11-13-2025

Hello,

I have configured the Control Plane CoPP Port-Filtering (Cppr) feature on a Cisco ISR 890 Series Router running IOS 15.8(3)M9 to stop the router from responding with closed status on all closed or non-existent TCP/UDP ports.

Here is the configuration I applied:

class-map type port-filter match-any closed
match closed-ports

policy-map type port-filter closed
class closed
drop

control-plane host
service-policy type port-filter input closed

After applying this configuration, the router’s outside interface, which is configured with ip address dhcp, stopped receiving an IP address from the DHCP server. It seems this port-filtering setup is interfering with DHCP communication (UDP ports 67 and 68).

My questions are:

Is there a way to exclude specific ports (like UDP 67/68) from this port-filtering configuration?
If not, is there a workaround to allow the interface to obtain a DHCP IP address while still preventing the router from responding on all other closed/non-existent ports?

Any guidance or configuration examples would be greatly appreciated.

Thank you

mustafa.chapal · ‎11-20-2025

I was able to resolve this issue by modifying the class-map to explicitly exclude DHCP ports. The updated configuration is:

class-map type port-filter match-all closed
 match closed-ports
 match not port udp 67 68

After applying this change, the router’s outside interface was able to successfully obtain an IP address from the DHCP server while still enforcing port-filtering on all other closed or non-existent ports.

This approach ensures that DHCP traffic (UDP 67/68) is allowed through, preventing interference with IP address assignment, while maintaining the security benefits of Control Plane Port-Filtering on all other ports.

View solution in original post

Ben Weber · ‎11-13-2025

I would suggest using an ACL to allow the DHCP traffic to the router control plane.

1. Create an ACL that will match DHCP traffic.

2. Create a new class-map that will match the ACL.

3. Reference this class-map under the existing policy-map and set the action to pass.

4. Apply the updated policy-map to the control plane.

Good luck!

- BW
Please rate posts if they have been helpful.

mustafa.chapal · ‎11-13-2025

To exclude or pass DHCP ports

If I add another port-filter class map for dhcp ports, the port-filter policy map does not give any police option under that class

class-map type port-filter match-any open
match port udp 67 68

policy-map type port-filter closed
class open
?
Policy-map class configuration commands:
drop Drop Control Plane traffic
exit Exit from class action configuration mode
log Log IPv4 and ARP packets
no Negate or set default values of a command

If I try to add a regular class map for dhcp ports, the port-filter policy map does not allow that regular class to be added

ip access-list extended dhcp
permit udp any any eq 67
permit udp any any eq 68

class-map match-any dhcp
match access-group name dhcp

policy-map type port-filter closed
class dhcp
% class dhcp of type default is not allowed in policy-map closed of type port-filter

mustafa.chapal · ‎11-20-2025

I was able to resolve this issue by modifying the class-map to explicitly exclude DHCP ports. The updated configuration is:

class-map type port-filter match-all closed
 match closed-ports
 match not port udp 67 68

After applying this change, the router’s outside interface was able to successfully obtain an IP address from the DHCP server while still enforcing port-filtering on all other closed or non-existent ports.

This approach ensures that DHCP traffic (UDP 67/68) is allowed through, preventing interference with IP address assignment, while maintaining the security benefits of Control Plane Port-Filtering on all other ports.

CoPP Port-Filtering (Cppr) Causing DHCP Failure on Outside Interface