352-001 · Question #600
Which two control plane policer design options should you consider to achieve high availability? (Choose two)
The correct answer is D. Control plane policers are enforced in hardware to protect the software path, but they are E. Control plane policers must be processes before a forwarding decision is made. For high availability, control plane policers must be hardware-enforced to protect the CPU software path, and they must be processed before any forwarding decision is made.
Question
Which two control plane policer design options should you consider to achieve high availability? (Choose two)
Options
- AControl plane policers require that adequate protocols overhead are factored in to allow protocol
- BControl plane policers are really needed only on externally facing devices
- CControl plane policers can cause the network management systems to create false alarms
- DControl plane policers are enforced in hardware to protect the software path, but they are
- EControl plane policers must be processes before a forwarding decision is made
How the community answered
(57 responses)- A14% (8)
- B33% (19)
- C5% (3)
- D47% (27)
Why each option
For high availability, control plane policers must be hardware-enforced to protect the CPU software path, and they must be processed before any forwarding decision is made.
Factoring in protocol overhead is an operational tuning consideration for avoiding false drops, not a fundamental HA design principle for CoPP architecture.
Control plane policers are necessary on all network devices, not just externally facing ones, because internal misconfigured or compromised hosts can generate control plane floods just as damaging as external attacks.
NMS false alarms caused by overly aggressive CoPP policies are an operational side effect of misconfiguration, not a design option for achieving high availability.
CoPP enforced in hardware ensures that volumetric or malicious traffic targeting the CPU is rate-limited at the ASIC level before it can overwhelm the routing and signaling software processes. Hardware enforcement is a critical HA design requirement because a software-only policer could itself be saturated before it can act, defeating its purpose.
Control plane policers must be evaluated before the forwarding decision so that traffic destined for the CPU is intercepted and rate-limited at the earliest possible point in the packet processing pipeline, protecting protocol adjacencies and management plane stability.
Concept tested: Control Plane Policing hardware enforcement for high availability
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_copp/configuration/xe-17/qos-copp-xe-17-book/qos-copp-xe-17-book.html
Topics
Community Discussion
No community discussion yet for this question.