Cisco Blogs

Understanding Control Plane Policing

July 16, 2010 - 1 Comment

In the Lab is out for this week with ITL Episode 280 on our podcast channel (opens iTunes).

Defend network devices with Control Plane Policing

What is it that we are really policing?

Understanding the PUNT Path can help you on this.

The term “punt” is defined by Cisco to describe the action by an interface’s device driver of sending a packet “down” to the next fastest switching level. This list defines the order of preferred Cisco IOS switching methods (from fastest to slowest).

  • Distributed CEF

  • CEF

  • Fast switching

  • Process switching

A punt occurs under these conditions:

  • The next lower level did not produce a valid path or, in the case of CEF, a valid adjacency. In other words, if the CEF lookup process failed to find a valid entry in the forwarding information base, the packet is punted to the next available switching path or dropped.

  • A particular feature or Layer 2 encapsulation is not supported at the lowest level. If CEF supports a particular feature, ownership of a packet is passed through a set of software routines in the CEF “feature path.”

  • A feature requires special handling.

A punt adjacency in CEF is installed when some output feature is not supported in CEF. CEF punts all packets that go to such an adjacency to the next best switching mode, in order to switch all the packets.

(from How to Verify Cisco Express Forwarding Switching)


Be sure and connect up with us on our facebook fan page:

We create or take part in a lot of other content if you are interested beyond the main show – you can keep up with us on our YouTube page or you can also subscribe to the podcast channel (opens iTunes). Our show twitter account is at but you can also follow RobbJimmy RayTina Shakour, (Collabroation) Jennifer Geisler (Borderless) and Omar Sultan (Data Center)

Jimmy Ray’s Blog on Network World is a MUST READ “Networking Geek to Geek”

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks