I already wrote about Control Plane Protection in one of my previous posts focused on Cisco device configuration. Here we will make the same thing on Juniper device, I was using Juniper SRX300 and Juniper SRX1500 devices in my lab.
Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous.
A network device, which starts the receive more control traffic that his processor can process, will eventually experience control traffic packet drops and it will lead to some of the router functions to become unstable. Some of the most common control traffic generating services on a router are routing protocols with different update packets, Spanning Tree with BPDU packets, HSRP, CDP, ARP, and different management traffic services like SSH, SNMP, RADIUS etc.
Some of those control plane traffic types are more important than others but they all have in common the fact that they don’t normally use much bandwidth to function. Having that in mind, it is easy to conclude that the situation above with router processor at 100% because of control plane traffic is most surely caused by a DDoS attack towards your device.
More unusual is the situation when a neighboring device is experiencing some kind of malfunction which makes him send large amounts of control plane traffic out of his interfaces towards your device.
CoPP is the best way to avoid this kind of attacks or malfunctions to get in the way of your network device stability. CoPP is basically configuration of QoS inbound to your device control plane (CPU).
CoPP Best Practices
The way to configure CoPP in the most stable and effective way is to use guaranteed minimal available bandwidth for each control plane traffic type.