"Only ingress CoPP is supported. The system-cpp-policy policy-map is available on the control plane interface, and only in the ingress direction".
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-11/configuration_guide/sec/b_1611_sec_9300_cg/configuring_control_plane_policing.pdf
Therefore, A can't be right. B is the answer.
B - why would we police traffic generated by the router itself? We should police the traffic coming to the CP using CoPP
There is no evidence in the output of answer A, to support the theory of policing traffic generated by the router?
"the Control Plane Policing feature treats the CP as a separate entity with its own interface for ingress (input) and egress (output) traffic. "
https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/sec_control_plane/configuration/guide/2_xe/cps_xe_book/ctrl_plane_policng_xe.html#wp1082901
The CoPP policies restrict known traffic to a specific rate while protecting the CPU from unexpectedly high traffic rates that might jeopardize the router's stability.
"To protect the CP on a router from DoS attacks and to provide fine-control over the traffic to or from the CP, the Control Plane Policing feature treats the CP as a separate entity with its own interface for ingress (input) and egress (output) traffic"
A. Traffic generated by R1 that matches access list SNMP is policed.
This option is incorrect because CoPP does not police traffic generated by the router itself (R1).
B. Traffic coming to R1 that matches access list SNMP is policed.
This is the correct answer. CoPP polices traffic coming to the router (R1) that matches the specified access list (SNMP).
C. Traffic passing through R1 that matches access list SNMP is policed.
CoPP does not police transit traffic passing through the router; it only affects traffic destined for the router.
D. Traffic coming to R1 that does not match access list SNMP is dropped.
CoPP does not drop traffic that does not match the specified access list; it only polices it.
Therefore, option B is the correct answer.
When applying the service policy to the control plane, the input direction is only supported.
https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/copp.html
Answer A
I believe A is the correct one.
https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/sec_control_plane/configuration/guide/2_xe/cps_xe_book/ctrl_plane_policng_xe.html
Come on guys, the correct answer is C.
"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual"
https://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/cpp.html
* input—Applies the specified service policy to packets received on the control plane.
* output—Applies the specified service policy to packets transmitted from the control plane and enables the router to silently discard packets.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
fernandocirino
Highly Voted 2 years, 2 months agoDegen6969
1 year, 8 months agozpacket
Highly Voted 2 years, 3 months agoechipbk
2 years agochmacnp
Most Recent 5 days, 9 hours agoZendahr
6 months agoZendahr
6 months, 3 weeks agoZendahr
6 months agoWanessamgp
7 months, 1 week agocy111
7 months, 1 week ago[Removed]
7 months, 2 weeks agoCCIEPASS99
7 months, 3 weeks ago[Removed]
7 months, 4 weeks agoccnp_core_2024
9 months, 1 week agokivi_bg
11 months, 3 weeks agoColmenarez
1 year, 5 months agokewokil120
2 years agoechipbk
2 years agoechipbk
2 years agomarkymark874
2 years agokewokil120
2 years ago