Control Plane Policing, Hardware Rate Limiting, and Access-Control Lists

Protecting Cisco Catalyst 6500 Series Switches

By Cisco Systems

Posted October 2009



Itís been some time since administrators focused their security attention primarily on servers and hosts in the network. At that time administrators didnít use much more than a firewall and a few access lists to secure an entire network. Over the last several years, the infrastructure has also become a direct target, and on many occasions, an attack on the network is a byproduct of a worm or virus. Infected hosts generate substantial traffic either by scanning other hosts in the network, proliferating malware, and/or being the target of an attack or potentially being in the path of the attack. In order to protect the infrastructure, especially the core and distribution portions of the network, other mechanisms can be used to minimize the effects on these critical business-enabling components, namely, your Ciscoģ Catalystģ 6500 Series Switches.


This paper describes three methods that can be employed to help protect your infrastructure: control-plane policing (CoPP), hardware rate limiting (HWRL), and access-control lists (ACLs). The operation of each function and configuration examples of each of these methods will be explained in detail, so you will have an understanding of how to successfully implement these valuable features.


Through the use of a controlled test environment, several attack situations were created that placed the network infrastructure in jeopardy. The effects on the network were captured and, using the methods previously described, these attacks were mitigated and the condition of the network was captured. Configuration examples will be used to show how an unprotected infrastructure behaves. The appropriate configurations that mitigate the attack will then be shown.


Finally, a baseline recommendation will be provided as a starting point from which you can begin implementation of control plane protection in your network.



Download paper

For help with .pdf file downloads, please check out the help topic at


Return to Cisco Gold Sponsor Briefing


Return to Managing Corporate Networks Webtorials menu


Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at