Showing results for 
Search instead for 
Did you mean: 

control plane policing and protection

Hello everyone,


Once again i am a bit confused and ask for your help.


With regards to control plane policing, i was wondering if is it a way to block, as an example, telnet traffic, using a control plane policy map, and let only one host access the device. i do not want to set an access list on the interface. 

i need to mention that i cant edit the class-default...(or at least i dont know)

As an example:

access-list 101 permit tcp host any eq telnet
access-list 101 deny tcp any any eq telnet


class-map match-all telnet-class
match access-group 101
policy-map cp-in
class telnet-class
police 1000000 conform-action transmit exceed-action drop


Now the second question is:

in this documentation found here: why the access 140 is using deny statement and not permit?

! Allow trusted host traffic.
Router(config)# access-list 140 deny tcp host any eq telnet 
! Allow trusted host traffic. 
Router(config)# access-list 140 deny tcp host any eq telnet 
! Rate-limit all other Telnet traffic.
Router(config)# access-list 140 permit tcp any any eq telnet
! Define class-map "telnet-class."
Router(config)# class-map telnet-class 
Router(config-cmap)# match access-group 140
Router(config-cmap)# exit
Router(config)# policy-map control-plane-in
Router(config-pmap)# class telnet-class
Router(config-pmap-c)# police 80000 conform transmit exceed drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
! Define control plane service for the active route processor.
Router(config)# control-plane
Router(config-cp)# service-policy input control-plane-in
Router(config-cp)# end

thank you in advance! 

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @DragosMariusAvram66611 ,

Control Plane Policing uses modular QoS  objects to define how control plane traffic  is sent to main CPU of the device.

CPP is intended to protect the node central CPU from Denial of service attacks.

In your config e