Re: N3K - ARP packets in L2 VLAN increase COPP counters

Adam84 · ‎08-23-2018

Problem:

ARP packets passed through L2 VLAN on N3K increase COPP class-map copp-s-arp, in effect there are ARP timeouts on valid VLANs with SVI interfaces, and naturally cause network unreachable.

Same problem is described for N7K in that article:

https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/200652-Nexus-7000-Troubleshoot-Address-Resoluti.html

and also such BUG:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCub47533

I can't find anything related to N3K, but it seems it also is affected by the same thing. Can anyone confirm it? Or provide link to bug for N3K with this problem?

In my case it isn't really ARP storm, it's normal traffic, cause there are many VLANs on device, and sometimes COPP limits aren't enough.

For now I've implemented own class-map to protect valid SVIs, but that's also vunerable, cause in MAC access-list there is no way to provide also VID, only IP.

Rajeshkumar Gatti · ‎08-27-2018

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCug39787/?reffering_site=dumpcr

Has a workaround listed if that helps.

-Raj

Adam84 · ‎08-31-2018

That's what I've done to overcome that problem, but it isn't perfect. I.e. when one of the clients start to use same IPs as I already use (and they are in ARP ACL), it would impact ours N3K. It would be better if ARP ACL contained VLAN specified.

Another way to solve this is to provide static ARP entries in SVIs, but it's really anoyoing to maintain such configuration. I tought that CISCO would solve somehow that situation, but since it's rather hardware problem I think hope is lost in that case.