The flapping of routing protocols indicates that legitimate control plane traffic, such as hellos or updates, is being dropped by the Control Plane Policing (CoPP) policy. The best practice for deploying CoPP is to first implement it in a non-disruptive, monitor-only mode. This is achieved by setting both the conform-action and exceed-action to transmit. This configuration allows all traffic to pass but increments counters for conforming and exceeding traffic. The engineer can then analyze these counters to validate the Access Control Lists (ACLs) and adjust the policing rates to accommodate necessary protocol traffic before changing the exceed-action to drop. CoPP protects traffic destined to the router, so the policy must be applied in the input direction on the control plane.

A. Control Plane Policing is applied to traffic destined for the control plane, which is an input function; applying it in the output direction is incorrect.

C. Setting the exceed-action to drop immediately is the likely cause of the routing protocol flapping. A monitoring phase is required first.

D. This option is incorrect for two reasons: the policy direction is wrong (output), and the exceed-action is prematurely set to drop.

1. Cisco Systems

"Control Plane Policing Implementation Best Practices" White Paper.

Reference: In the "CoPP Deployment" section

under the "Monitor Mode" subsection

the document states: "It is highly recommended to deploy CoPP in a non-disruptive

monitor-only fashion first. This can be accomplished by configuring the exceed action to transmit instead of drop. This allows for the verification of the CoPP policy without affecting traffic." This directly supports setting both actions to transmit for initial testing.

2. Cisco IOS XE Security Configuration Guide

Cisco IOS XE Fuji 16.9.x

"Configuring Control Plane Policing".

Reference: In the "How to Configure Control Plane Policing" section

the guide shows the command service-policy {input | output} policy-map-name. It explains that CoPP is applied to the control plane interface

and for protecting the router's CPU

the input keyword is used to control traffic destined for the device. This confirms the correct direction is input.

3. Cisco Systems

"Guide to Control Plane Policing" Document.

Reference: In the "Deployment Methodology" section

the guide recommends a phased approach: "The first phase is to deploy CoPP in monitor mode (that is

permit all traffic but use counters to measure the traffic rates). This allows you to understand the current traffic rates without impacting the network... Once you are confident with the configured rates

you can move to the second phase

which is to enforce the policy by changing the action for exceeding traffic from transmit to drop." This validates the entire strategy outlined in the correct answer.