04-13-2020 06:06 AM
Hi Team,
Can you pls confirm if we need to match copp policying for IPSLA ? for the ports defined in the config?
Regards,
Rahul
04-13-2020 06:44 AM
Hi Rahul,
By default, you do not need to configure any additional CoPP policy for IP SLA, since it will match anyway on the default policy.
However, if you are using IP SLA at a large scale, you will need to configure a new copp policy to avoid drops.
'''
The following CoPP configuration example allows IP SLA packets to pass through. It assumes destination ports and source ports in the range of 6500-7000. In this example, if “insert-before” is not specified, "copp-ipsla" will be added after “class-default.”
'''
ip access-list acl-sla-allow 10 remark ### ALLOW SLA control packets from 1.1.1.0/24 20 permit udp 1.1.1.0/24 any eq 1967 30 remark ### ALLOW SLA data packets from 1.1.1.0/24 using ports 6500-7000 40 permit udp 1.1.1.0/24 any range 6500 7000 class-map type control-plane match-any copp-ipsla match access-group name acl-sla-allow policy-map type control-plane Custom-copp-policy-strict class copp-ipsla insert-before Custom-copp-class-l2-default police cir 1500 kbps control-plane service-policy input Custom-copp-policy-strict
Cheers,
Sergiu
04-14-2020 03:35 AM
Hi Sergiu, Thanks for the reply.
We have the below config on our device, I could see the SLA operation is unsuccessful.
No Firewall or routing issues in between, all good
DC1-SW1#
ip sla 100
udp-jitter 192.168.73.144 58010 source-ip 192.168.163.1 codec g711alaw
timeout 10000
ip sla schedule 100 life forever start-time now
ip sla 200
udp-jitter 192.168.73.144 58020 source-ip 192.168.163.1
timeout 10000
ip sla schedule 200 life forever start-time now
############################################
DC2-SW1#
NXOS: version 7.0(3)I5(2)
feature sla responder
ip sla responder udp-echo ipaddress 192.168.163.1 port 58010
ip sla responder udp-echo ipaddress 192.168.163.1 port 58020
Regards,
Raghul
04-15-2020 12:33 AM
Maybe you can check the debug (debug ip sla responder all), and see if the ip sla process receives the packets. If you do not see anything generated by debug, then it means there is no connection. In this case you should try configuring a copp class for IP SLA.
Regards,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide