Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Control plane protection

Hi guys,

I want to implement control plane protection for fragmented packets. As far as i know if fragmented packet are traversing through router then service-policy will be applied at control-plane transit but if fragmented packets are destine to router itself then it will be applied at control-plane host. Correct me if i am wrong. Moreover I want to know the difference between


Control-plane host

Control-plane transit

Control-plane cef

Everyone's tags (3)

Control plane protection

Hi Bro

What you’re doing is good. It’s always best to block the fragmented packets at the control-plane level, rather than via the normal ACL.

In the basic/lower feature sets IOS versions, there is no breakdown in terms of control-plane. With the advanced/higher feature sets IOS versions, you have control-plane host, control-plane transit and control-plane cef. Your next question would be when do I apply them, in what given situations, am I right? Basically, in a nutshell, here goes

a)    control-plane host handles packets destined for router itself e.g. management traffic (telnet/ssh/tacacs+/radius) and routing traffic.

b)    control-plane transit works on IP based packets traversing through the router e.g. internet browsing, email etc.

c)    control-plane cef focuses on non-IP packets e.g. CDP, ARP etc.

With this in mind, you might wanna expand your knowledge in depth, by reading this Cisco document

P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Control plane protection


I need some help on implementing CPPr, i need configurtion to apply on router, i have done some but i am not sure is it right or not, Thanks

CreatePlease login to create content