nerdexam
Cisco

350-401 · Question #622

Which two statements are true about control plane policing? (Choose two.)

The correct answer is A. Control plane policing will affect only traffic that is destined to the route processor. B. Access lists that are used in policies for control plane policing must not use the log keyword.. Control Plane Policing (CoPP) protects the route processor from excessive traffic, only affecting packets destined for it, and requires careful ACL configuration without the log keyword.

Submitted by klara.se· Mar 6, 2026

Question

Which two statements are true about control plane policing? (Choose two.)

Options

  • AControl plane policing will affect only traffic that is destined to the route processor.
  • BAccess lists that are used in policies for control plane policing must not use the log keyword.
  • CAccess lists that use the deny rule in control plane policing do not progress to the next class.
  • DThe log keyword can be used but the log-input keyword must not be used in policing.

How the community answered

(37 responses)
  • A
    89% (33)
  • C
    8% (3)
  • D
    3% (1)

Why each option

Control Plane Policing (CoPP) protects the route processor from excessive traffic, only affecting packets destined for it, and requires careful ACL configuration without the `log` keyword.

AControl plane policing will affect only traffic that is destined to the route processor.Correct

CoPP is specifically designed to protect the router's control plane (the route processor) from malicious or excessive traffic by inspecting and acting on packets that are *destined to the router itself*, rather than transit traffic.

BAccess lists that are used in policies for control plane policing must not use the log keyword.Correct

When configuring access lists for CoPP policies, using the `log` keyword can cause the route processor to generate a large number of log messages for every matched packet, potentially consuming excessive CPU resources and defeating the purpose of CoPP.

CAccess lists that use the deny rule in control plane policing do not progress to the next class.

In Modular QoS CLI (MQC) policies, a `deny` rule in an access list *does* cause the packet to proceed to the next class-map in the policy, continuing evaluation, unless an explicit action (like drop) is taken within that class.

DThe log keyword can be used but the log-input keyword must not be used in policing.

The `log` keyword should generally *not* be used in ACLs applied for control plane policing due to the potential for excessive logging and CPU strain, contrary to the statement that it *can* be used.

Concept tested: Control Plane Policing (CoPP) characteristics and configuration

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_copp/configuration/xe-3s/sec-data-copp-xe-3s-book/sec-control-plane-policing.html

Topics

#Control Plane Policing#CoPP#Access Lists#Policing configuration

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice