Lab - Troubleshoot Control Plane Policing (CoPP) (Instructor

Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table
Device Interface IP Address Subnet Mask

R1 G0/0/0 172.16.12.1 255.255.255.252

R1
G0/0/1 10.10.1.1 255.255.255.0
R2 G0/0/0 172.16.12.2 255.255.255.252
A1 VLAN 1 10.10.1.4 255.255.255.0
PC1 NIC 10.10.1.5 255.255.255.0

Objectives
Troubleshoot network issues related to the configuration and operation of Control Plane Policing (CoPP).

Background / Scenario
Control Plane Policing (CoPP) is a protection feature for the router’s control plane CPU. CoPP can granularly
permit, drop, or rate-limit traffic to or from the CPU using a Modular QoS CLI (MQC) policy. The CoPP policy
is applied to a dedicated control-plane “interface” which protects the CPU from unexpected extreme rates of
traffic that could impact the stability of the router.
Note: The routers used with CCNP hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.4
(universalk9 image). The switch used in the lab is a Cisco Catalyst 2960 with Cisco IOS Release 15.2(2)
(lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

and Cisco IOS version, the commands available and the output produced might vary from what is shown in
the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.
Note: Make sure that the routers and switches have been erased and have no startup configurations. If you
are unsure, contact your instructor.
Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.

Required Resources
 2 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
 1 Switch ((Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable)
 1 PC (Choice of operating system with a terminal emulation program and a packet capture utility installed)
 Console cables to configure the Cisco IOS devices via the console ports
 Ethernet cables as shown in the topology

Instructions

Part 1: Trouble Ticket 22.1.4.1

Scenario:
At the main office, a decision was made to eliminate the use of Telnet for network device management.
Rather than place ACLs on each interface, the main office network technician edited the existing CoPP
configurations on the branch router R1, adding the restriction on Telnet by creating an ACL, class-map, and
policy-map to drop all Telnet traffic to the router. The tech also added a traffic class for SSH access. While
testing the new changes at the branch office, the branch network technician finds that Telnet is still possible.
Your tasks are to FIND the error(s), document your findings and the command(s) or method(s) used to fix
them, FIX the issue(s) presented here and then test the network to ensure the following conditions are met:
1) the complaint received in the ticket is resolved
2) the control-plane policy-map keeps Telnet from succeeding either from the main office or from the
branch management network.
Use the commands listed below to load the configuration files for this trouble ticket:
Instructor Note: Commands for uploading the configuration are provided at the end of this document.

Device Command

R1 copy flash:/enarsi/22.1.4.1-r1-config.txt run

R2 copy flash:/enarsi/22.1.4.1-r2-config.txt run
A1 copy flash:/enarsi/22.1.4.1-a1-config.txt run

 PC1 is on the management network and is configured with a static IP address from the addressing table.
 aaa new-model is enabled on router R1.
 Privileged EXEC password is cisco12345cisco.
 Passwords on all devices are cisco1234. If a username is required, use admin.
 After you have fixed the ticket, change the MOTD on EACH DEVICE using the following command:
banner motd # This is $(hostname) FIXED from ticket <ticket number> #
 Save the configuration by issuing the wri command (on each device).

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

 Inform your instructor that you are ready for the next ticket.
 After the instructor approves your solution for this ticket, issue the privileged EXEC command reset.now.
This script will clear your configurations and reload the devices.
Instructor Notes:
CoPP configuration errors are difficult to see sometimes in a small network with virtually no traffic. Remind the
students that they may not be able to recreate the identical symptoms. They should examine the configuration
and operation of the devices carefully to find the issues.
This trouble ticket contains an intentional error.
The policy map is out of order. The class map CM-MGMT comes before the class map CM-TELNET in
the policy map configuration. Class map CM-MGMT uses the MGMT ACL, which contains a permit tcp
10.1.1.0 0.0.0.255 any statement. That statement allows Telnet from the branch management network to
succeed, whereas it fails from the main office network.
To fix problem: It is necessary to delete and recreate the policy map PM-COPP to reorder the statements to
put the class CM-TELNET ahead of the class CM-MGMT. (suggest students use Notepad to cut and paste
the changes) The commands to do this are:
R1(config)# control-plane
R1(config-cp)# no service-policy input PM-COPP
R1(config-cp)# exit
R1(config)# no policy-map PM-COPP
R1(config)# policy-map PM-COPP
R1(config-pmap)# class CM-SSH
R1(config-pmap-c)# police 50000 conform-action transmit exceed-action transmit
R1(config-pmap-c-police)# class CM-EIGRP
R1(config-pmap-c)# police rate 10 pps conform-action transmit exceed-action transmit
R1(config-pmap-c-police)# class CM-TELNET
R1(config-pmap-c)# police 8000 conform-action drop exceed-action drop
R1(config-pmap-c-police)# class CM-MGMT
R1(config-pmap-c)# police 8000 conform-action transmit exceed-action transmit
R1(config-pmap-c-police)# class CM-ICMP
R1(config-pmap-c)# police rate 10 pps conform-action transmit exceed-action drop
R1(config-pmap-c-police)# class class-default
R1(config-pmap-c)# police 12000 conform-action transmit exceed-action transmit
R1(config-pmap-c-police)# exit
R1(config-pmap-c)# exit
R1(config-pmap)# exit
R1(config)# control-plane
R1(config-cp)# service-policy input PM-COPP
R1(config-cp)# end

Note: Students may choose edit the MGMT ACL to remove the permit statement that is allowing the Telnet
from the management network. Because that statement may be allowing other management traffic, it should
not be removed.

Part 2: Trouble Ticket 22.1.4.2

Scenario:
While the main office network tech was editing the CoPP configuration on the branch R1 router, the tech
noticed that there was not a separate class for SSH, that it was part of the MGMT class. The tech decided to
add a traffic class for SSH access, so it would be easier to troubleshoot remote access issues. The branch

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

technician reports that after the traffic class change was added, SSH seems much slower and less responsive
than before.
Your tasks are to FIND the error(s), document your findings and the command(s) or method(s) used to fix
them, FIX the issue(s) presented here and then test the network to ensure the following conditions are met:
1) the complaint received in the ticket is resolved
2) SSH traffic response issues are solved
Use the commands listed below to load the configuration files for this trouble ticket:
Instructor Note: Commands for uploading the configuration are provided at the end of this document.

Device Command

R1 copy flash:/enarsi/22.1.4.2-r1-config.txt run

R2 copy flash:/enarsi/22.1.4.2-r2-config.txt run
A1 copy flash:/enarsi/22.1.4.2-a1-config.txt run

 PC1 is on the management network and is configured with a static IP address from the addressing table.
 aaa new-model is enabled on router R1.
 Privileged EXEC password is cisco12345cisco.
 Passwords on all devices are cisco1234. If a username is required, use admin.
 After you have fixed the ticket, change the MOTD on EACH DEVICE using the following command:
banner motd # This is $(hostname) FIXED from ticket <ticket number> #
 Save the configuration by issuing the wri command (on each device).
 Inform your instructor that you are finished.
 After the instructor approves your solution for this ticket, issue the privileged EXEC command reset.now.
This script will clear your configurations and reload the devices.
Instructor Notes:
CoPP configuration errors are difficult to see sometimes in a small network with virtually no traffic. Remind the
students that they may not be able to recreate the identical symptoms. They should examine the configuration
and operation of the devices carefully to find the issues.
This trouble ticket contains an intentional error.
The class CM-SSH is given the same policing action as the class CM-ICMP instead of the same actions
as the CM-MGMT, which is the desired result.
To fix the problem: Correct the policing for SSH traffic, make it the same as the CM-MGMT class. It is not
necessary to delete and recreate the policy map PM-COPP, only to remove it from the control-plane until it is
edited. Commands to do this are:
R1(config)# control-plane
R1(config-cp)# no service-policy input PM-COPP
R1(config-cp)# exit
R1(config)# policy-map PM-COPP
R1(config-pmap)# class CM-SSH
R1(config-pmap-c)# police 8000 conform-action transmit exceed-action transmit
R1(config-pmap-c-police)# exit
R1(config-pmap-c)# exit

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

R1(config-pmap)# exit
R1(config)# control-plane
R1(config-cp)# service-policy input PM-COPP
R1(config-cp)# end

Router Interface Summary Table

Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2

Fast Ethernet 0/0 Fast Ethernet 0/1

1800 (F0/0) (F0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
Gigabit Ethernet 0/0 Gigabit Ethernet 0/1
1900 (G0/0) (G0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
Fast Ethernet 0/0 Fast Ethernet 0/1
2801 (F0/0) (F0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
Fast Ethernet 0/0 Fast Ethernet 0/1
2811 (F0/0) (F0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
Gigabit Ethernet 0/0 Gigabit Ethernet 0/1
2900 (G0/0) (G0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
Gigabit Ethernet 0/0/0 Gigabit Ethernet 0/0/1
4221 (G0/0/0) (G0/0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
Gigabit Ethernet 0/0/0 Gigabit Ethernet 0/0/1
4300 (G0/0/0) (G0/0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)

Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An example
of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in
Cisco IOS commands to represent the interface.
End of document

Uploading Configuration Files

Use the commands below to create the configuration files on the lab devices for each trouble ticket in this lab.
The TCL script commands help create and copy the configurations. However, the configuration commands
could also be copied and pasted directly into global config mode on each device. Simply remove the TCL
script commands, enter the enable and configure t commands on the device, and copy and paste the
configuration commands.
Important: The device requires a folder in flash named enarsi. Use the dir command to verify. If the folder is
missing, then create it using the mkdir flash:/enarsi privileged EXEC command. For all switches, make sure
the vlan.dat file is set to the default. Use the delete vlan.dat privileged EXEC command, if necessary.
Reset scripts
These TCL scripts will completely clear and reload the device in preparation for the next ticket. Copy and
paste the appropriate script to the appropriate device.
R1/R2 Router Reset Script
tclsh
puts [ open "flash:/enarsi/reset.tcl" w+ ] {
typeahead "\n"

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

copy running-config startup-config

typeahead "\n"
erase startup-config
puts "Reloading the router"
typeahead "\n"
reload
}
tclquit
A1 (Cisco 2960 Script) - The default 2960 SDM template does not support IPv6, so this script includes that
setting.
tclsh
puts [ open "flash:/enarsi/reset.tcl" w+ ] {
typeahead "\n"
copy running-config startup-config
typeahead "\n"
erase startup-config
delete /force vlan.dat
delete /force multiple-fs
ios_config "sdm prefer lanbase-routing"
typeahead "\n"
puts "Reloading the switch"
typeahead "\n"
reload
}
tclquit

Router R1 Configuration File Scripts

!R1 - Trouble Ticket # 1
tclsh
puts [ open "flash:/enarsi/22.1.4.1-r1-config.txt" w+ ] {
hostname R1
boot-start-marker
boot-end-marker
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
enable secret cisco12345cisco
aaa new-model
aaa authentication login default local enable
no ip domain lookup
ip domain name CCNPv8.CoPP.Lab
login on-success log
subscriber templating

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

multilink bundle-name authenticated

spanning-tree extend system-id
username admin privilege 15 algorithm-type scrypt secret cisco1234
redundancy
mode none
class-map match-all CM-MGMT
match access-group name MGMT
class-map match-all CM-TELNET
match access-group name TELNET
class-map match-all CM-ICMP
match access-group name ICMP
class-map match-all CM-EIGRP
match access-group name EIGRP
class-map match-all CM-SSH
match access-group name SSH
policy-map PM-COPP
class CM-EIGRP
police rate 10 pps conform-action transmit exceed-action transmit
class CM-MGMT
police 8000 conform-action transmit exceed-action transmit
class CM-SSH
police 50000 conform-action transmit exceed-action transmit
class CM-ICMP
police rate 10 pps conform-action transmit exceed-action drop
class CM-TELNET
police 8000 conform-action drop exceed-action drop
class class-default
police 12000 conform-action transmit exceed-action transmit
interface GigabitEthernet0/0/0
ip address 172.16.12.1 255.255.255.252
negotiation auto
no shutdown
interface GigabitEthernet0/0/1
ip address 10.10.1.1 255.255.255.0
negotiation auto
no shutdown
interface Serial0/1/0
no ip address
interface Serial0/1/1
no ip address
router eigrp 123
network 10.10.1.0 0.0.0.255
network 172.16.12.0 0.0.0.3
eigrp router-id 0.0.0.1
ip forward-protocol nd

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

no ip http server
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
ip access-list extended EIGRP
permit eigrp any any
ip access-list extended ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any port-unreachable
permit icmp any any unreachable
ip access-list extended MGMT
permit tcp any eq telnet any established
permit tcp 10.10.1.0 0.0.0.255 any eq 22
permit tcp 10.10.1.0 0.0.0.255 eq 22 any established
permit udp 10.10.1.0 0.0.0.255 any eq snmp
permit tcp 10.10.1.0 0.0.0.255 any eq www
permit udp 10.10.1.0 0.0.0.255 any eq 443
permit tcp 10.10.1.0 0.0.0.255 any eq ftp
permit tcp 10.10.1.0 0.0.0.255 any eq ftp-data
permit tcp 10.10.1.0 0.0.0.255 any
permit udp any any eq syslog
permit udp any eq domain any
permit udp any any eq ntp
ip access-list extended SSH
permit tcp any any eq 22
permit tcp any eq 22 any established
ip access-list extended TELNET
permit tcp any any eq telnet
control-plane
service-policy input PM-COPP
banner motd "R1: Lab Trouble Ticket 1"
line con 0
exec-timeout 0 0
logging synchronous
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input telnet ssh
exit
crypto key generate rsa modulus 1024
alias exec reset.now tclsh flash:/enarsi/reset.tcl

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

end
}
tclquit
!R1 - Trouble Ticket # 2
tclsh
puts [ open "flash:/enarsi/22.1.4.2-r1-config.txt" w+ ] {
hostname R1
boot-start-marker
boot-end-marker
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
enable secret cisco12345cisco
aaa new-model
username admin privilege 15 algorithm-type scrypt secret cisco1234
aaa authentication login default local enable
no ip domain lookup
ip domain name CCNPv8.CoPP.Lab
login on-success log
subscriber templating
multilink bundle-name authenticated
spanning-tree extend system-id
redundancy
mode none
class-map match-all CM-MGMT
match access-group name MGMT
class-map match-all CM-TELNET
match access-group name TELNET
class-map match-all CM-ICMP
match access-group name ICMP
class-map match-all CM-EIGRP
match access-group name EIGRP
class-map match-all CM-SSH
match access-group name SSH
policy-map PM-COPP
class CM-EIGRP
police rate 10 pps conform-action transmit exceed-action transmit
class CM-SSH
police rate 10 pps conform-action transmit exceed-action drop
class CM-TELNET
police 8000 conform-action drop exceed-action drop
class CM-MGMT
police 8000 conform-action transmit exceed-action transmit

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

class CM-ICMP
police rate 10 pps conform-action transmit exceed-action drop
class class-default
police 12000 conform-action transmit exceed-action transmit
interface GigabitEthernet0/0/0
ip address 172.16.12.1 255.255.255.252
negotiation auto
no shutdown
interface GigabitEthernet0/0/1
ip address 10.10.1.1 255.255.255.0
negotiation auto
no shutdown
router eigrp 123
network 10.10.1.0 0.0.0.255
network 172.16.12.0 0.0.0.3
eigrp router-id 0.0.0.1
ip forward-protocol nd
no ip http server
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
ip access-list extended EIGRP
permit eigrp any any
ip access-list extended ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any port-unreachable
permit icmp any any unreachable
ip access-list extended MGMT
permit tcp any eq telnet any established
permit tcp 10.10.1.0 0.0.0.255 any eq 22
permit tcp 10.10.1.0 0.0.0.255 eq 22 any established
permit udp 10.10.1.0 0.0.0.255 any eq snmp
permit tcp 10.10.1.0 0.0.0.255 any eq www
permit udp 10.10.1.0 0.0.0.255 any eq 443
permit tcp 10.10.1.0 0.0.0.255 any eq ftp
permit tcp 10.10.1.0 0.0.0.255 any eq ftp-data
permit tcp 10.10.1.0 0.0.0.255 any
permit udp any any eq syslog
permit udp any eq domain any
permit udp any any eq ntp
ip access-list extended SSH
permit tcp any any eq 22
permit tcp any eq 22 any established

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

ip access-list extended TELNET

permit tcp any any eq telnet
control-plane
service-policy input PM-COPP
banner motd "R1: Lab Trouble Ticket 2"
line con 0
exec-timeout 0 0
logging synchronous
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input telnet ssh
exit
crypto key generate rsa modulus 1024
alias exec reset.now tclsh flash:/enarsi/reset.tcl
end
}
tclquit

Router R2 Configuration File Scripts

!R2 - Trouble Ticket # 1
tclsh
puts [ open "flash:/enarsi/22.1.4.1-r2-config.txt" w+ ] {
service timestamps debug datetime msec
service timestamps log datetime msec
hostname R2
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
no aaa new-model
no ip domain lookup
ip domain name CCNPv8.CoPP.Lab
login on-success log
username admin privilege 15 algorithm-type scrypt secret cisco1234
interface GigabitEthernet0/0/0
ip address 172.16.12.2 255.255.255.252
negotiation auto
no shutdown
router eigrp 123
network 172.16.12.0 0.0.0.3
eigrp router-id 0.0.0.2

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

ip forward-protocol nd
no ip http server
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
control-plane
banner motd "R2: Lab Trouble Ticket 1"
line con 0
exec-timeout 0 0
logging synchronous
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input telnet ssh
exit
alias exec reset.now tclsh flash:/enarsi/reset.tcl
end
}
tclquit
!R2 - Trouble Ticket # 2
tclsh
puts [ open "flash:/enarsi/22.1.4.2-r2-config.txt" w+ ] {
service timestamps debug datetime msec
service timestamps log datetime msec
hostname R2
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
no aaa new-model
no ip domain lookup
ip domain name CCNPv8.CoPP.Lab
login on-success log
username admin privilege 15 algorithm-type scrypt secret cisco1234
interface GigabitEthernet0/0/0
ip address 172.16.12.2 255.255.255.252
negotiation auto
no shutdown
router eigrp 123
network 172.16.12.0 0.0.0.3
eigrp router-id 0.0.0.2
ip forward-protocol nd
no ip http server

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
control-plane
banner motd "R2: Lab Trouble Ticket 2"
line con 0
exec-timeout 0 0
logging synchronous
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input telnet ssh
exit
alias exec reset.now tclsh flash:/enarsi/reset.tcl
end
}
tclquit

Switch A1 Configurationi File Scripts

!A1 - Trouble Ticket # 1
tclsh
puts [ open "flash:/enarsi/22.1.4.1-a1-config.txt" w+ ] {
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname A1
boot-start-marker
boot-end-marker
enable secret cisco12345cisco
username admin privilege 15 algorithm-type scrypt secret cisco1234
no aaa new-model
system mtu routing 1500
no ip domain-lookup
ip domain-name CCNPv8.COPP.LAB
spanning-tree mode rapid-pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
shutdown
interface FastEthernet0/2
shutdown
interface FastEthernet0/3
shutdown
interface FastEthernet0/4

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

shutdown
interface FastEthernet0/5
shutdown
interface FastEthernet0/6
shutdown
interface FastEthernet0/7
shutdown
interface FastEthernet0/8
shutdown
interface FastEthernet0/9
shutdown
interface FastEthernet0/10
shutdown
interface FastEthernet0/11
no shutdown
interface FastEthernet0/12
shutdown
interface FastEthernet0/13
shutdown
interface FastEthernet0/14
shutdown
interface FastEthernet0/15
shutdown
interface FastEthernet0/16
shutdown
interface FastEthernet0/17
shutdown
interface FastEthernet0/18
shutdown
interface FastEthernet0/19
shutdown
interface FastEthernet0/20
shutdown
interface FastEthernet0/21
shutdown
interface FastEthernet0/22
shutdown
interface FastEthernet0/23
switchport mode access
no shutdown
interface FastEthernet0/24
shutdown
interface GigabitEthernet0/1
shutdown
interface GigabitEthernet0/2

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

shutdown
interface Vlan1
ip address 10.10.1.4 255.255.255.0
no shutdown
ip default-gateway 10.10.1.1
ip http server
ip http secure-server
banner motd "A1, 22.1.4.1 Ticket 1"
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
exit
alias exec reset.now tclsh flash:/enarsi/reset.tcl
end
}
tclquit
!A1 - Trouble Ticket # 2
tclsh
puts [ open "flash:/enarsi/22.1.4.2-a1-config.txt" w+ ] {
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname A1
boot-start-marker
boot-end-marker
enable secret cisco12345cisco
username admin privilege 15 algorithm-type scrypt secret cisco1234
no aaa new-model
system mtu routing 1500
no ip domain-lookup
ip domain-name CCNPv8.COPP.LAB
spanning-tree mode rapid-pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
shutdown
interface FastEthernet0/2
shutdown
interface FastEthernet0/3
shutdown
interface FastEthernet0/4

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 15 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

shutdown
interface FastEthernet0/5
shutdown
interface FastEthernet0/6
shutdown
interface FastEthernet0/7
shutdown
interface FastEthernet0/8
shutdown
interface FastEthernet0/9
shutdown
interface FastEthernet0/10
shutdown
interface FastEthernet0/11
no shutdown
interface FastEthernet0/12
shutdown
interface FastEthernet0/13
shutdown
interface FastEthernet0/14
shutdown
interface FastEthernet0/15
shutdown
interface FastEthernet0/16
shutdown
interface FastEthernet0/17
shutdown
interface FastEthernet0/18
shutdown
interface FastEthernet0/19
shutdown
interface FastEthernet0/20
shutdown
interface FastEthernet0/21
shutdown
interface FastEthernet0/22
shutdown
interface FastEthernet0/23
switchport mode access
no shut
interface FastEthernet0/24
shutdown
interface GigabitEthernet0/1
shutdown
interface GigabitEthernet0/2

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 16 of 17 www.netacad.com
Lab - Troubleshoot Control Plane Policing (CoPP)

shutdown
interface Vlan1
ip address 10.10.1.4 255.255.255.0
no shutdown
ip default-gateway 10.10.1.1
ip http server
ip http secure-server
banner motd "A1, 22.1.4.2 Ticket 2"
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
exit
alias exec reset.now tclsh flash:/enarsi/reset.tcl
end
}
tclquit

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 17 of 17 www.netacad.com