Control Plane Policing CoPP Configuration on Nexus9k

moakintola · ‎10-13-2023

Hi all,

I am migration from an older nexus switch to Nexus 9k. Now I have that CoPP configuration not working on N9k. Kindly see below:

ip access-list copp-system-acl-ping
10 permit icmp any any echo
20 permit icmp any any echo-reply

class-map type control-plane match-any copp-s-ping
match access-group name copp-system-acl-ping

policy-map type control-plane copp-system-policy

class copp-s-ping
police pps 100

control-plane
service-policy input copp-system-policy

Access list, class-map and policy-map are fine, but police is not (see bold text or attached image).

Kindly help on how to re-configure. Thanks

f00z · ‎10-15-2023

Newer models are a different ASIC, start over and rebuild it from scratch. Can use your old custom ACL/CMs but all of the built in ones are different, and they are not in pps either. Apply a default copp, add your custom ACLs and go from there to tweak it.

For example nexus 9372/9332 is broadcom t2 and thus it has copp for this asic, similar to nexus 3k

Nexus 9k EX and newer (FX GX etc) is a different ASIC and the copp is entirely different. I.e. the policer is like this:

class whatever
set cos 1
police cir 1300 kbps bc 48000 bytes conform transmit violate drop

Basically, if it's a different platform you need to redo the entire copp and retest it all to make sure it works. Welcome to one of the pain points of networking.

moakintola · ‎10-17-2023

Thank you.

can you help to interpret

police pps 100

into

police cir xxxx kbps bc xxxxx bytes conform transmit violate drop

f00z · ‎10-17-2023

There isn't.. Like i said, take a look at the default copp buildout on the new switches and then modify it for what you want.

The ex/fx etc don't do PPS, you can't do copp pps or storm control pps, it's kbps and there's no real correlation for pps to kbps because kbps depends on the packet sizes , if it's small packets it'll be more pps , large packets will be less pps, so there's no 1:1 relation.

So what you can do is look at the icmp policer on the new copp which seems to be in the 'monitoring' class , weird, but it is..

class copp-system-p-class-monitoring
set cos 1
police cir 360 kbps bc 192000 bytes conform transmit violate drop

class-map type control-plane match-any copp-system-p-class-monitoring
match access-group name copp-system-p-acl-icmp
match access-group name copp-system-p-acl-icmp6
match access-group name copp-system-p-acl-traceroute

You can edit all the access groups for these too , there's no concept of some being uneditable (static) and some dynamic like there is on broadcom chip

So really good idea to make your own copp entirely for the new platform. On top of that set the cos values to give it different cpu queue priority.

f00z · ‎10-17-2023

Just expanding on my suggestion to make your own copp, you can copy the profile with command

copp copy profile strict prefix MYCOPP (or other variations of it with whatever you want)

and it will make a new copp profile with MYCOPP-xxxx and you can edit all of that and do what you want and then apply it. All of the profile will show up in the running config without having to use 'all' so you can easily see all the defaults.