04-01-2020 03:46 AM
Hi.
Trying to configure CoPP for arp request as said in this guide - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_010001.html#con_...
class-map type control-plane match-any cm-arp
match protocol arp
policy-map type control-plane pm-arp
class cm-arp
police cir 100 pps bc 10 packets conform transmit violate drop
NEXUS(config)# control-plane
NEXUS(config-cp)# service-policy input pm-arp
and after applying policy-map in control-plane section recieved error:
NEXUS %$ VDC-1 %$ %ACLQOS-SLOT1-2-ACLQOS_FAILED: ACLQOS failure: TCAM region is not configured for feature QoS class ARP direction ingress. Please configure TCAM region Ingress COPP [copp] and retry the command.
Trying to realocatte TCAM memory for different region, but with no success.
Not it look like this:
NEXUS# show hardware access-list tcam region
IPV4 PACL [ifacl] size = 0
IPV6 PACL [ipv6-ifacl] size = 0
MAC PACL [mac-ifacl] size = 0
IPV4 Port QoS [qos] size = 512
IPV6 Port QoS [ipv6-qos] size = 0
MAC Port QoS [mac-qos] size = 0
FEX IPV4 PACL [fex-ifacl] size = 0
FEX IPV6 PACL [fex-ipv6-ifacl] size = 0
FEX MAC PACL [fex-mac-ifacl] size = 0
FEX IPV4 Port QoS [fex-qos] size = 0
FEX IPV6 Port QoS [fex-ipv6-qos] size = 0
FEX MAC Port QoS [fex-mac-qos] size = 0
IPV4 VACL [vacl] size = 0
IPV6 VACL [ipv6-vacl] size = 0
MAC VACL [mac-vacl] size = 0
IPV4 VLAN QoS [vqos] size = 0
IPV6 VLAN QoS [ipv6-vqos] size = 0
MAC VLAN QoS [mac-vqos] size = 0
IPV4 RACL [racl] size = 256
IPV6 RACL [ipv6-racl] size = 0
IPV4 Port QoS Lite [qos-lite] size = 0
FEX IPV4 Port QoS Lite [fex-qos-lite] size = 0
IPV4 VLAN QoS Lite [vqos-lite] size = 0
IPV4 L3 QoS Lite [l3qos-lite] size = 0
Egress IPV4 QoS [e-qos] size = 0
Egress IPV6 QoS [e-ipv6-qos] size = 0
Egress MAC QoS [e-mac-qos] size = 0
Egress IPV4 VACL [vacl] size = 0
Egress IPV6 VACL [ipv6-vacl] size = 0
Egress MAC VACL [mac-vacl] size = 0
Egress IPV4 RACL [e-racl] size = 0
Egress IPV6 RACL [e-ipv6-racl] size = 0
Egress IPV4 QoS Lite [e-qos-lite] size = 0
IPV4 L3 QoS [l3qos] size = 256
IPV6 L3 QoS [ipv6-l3qos] size = 0
MAC L3 QoS [mac-l3qos] size = 0
Ingress System size = 256
Egress System size = 256
SPAN [span] size = 0
Ingress COPP [copp] size = 512
Ingress Flow Counters [flow] size = 0
Egress Flow Counters [e-flow] size = 0
Ingress SVI Counters [svi] size = 0
Redirect [redirect] size = 256
VPC Convergence/ES-Multi Home [vpc-convergence] size = 0
IPSG SMAC-IP bind table [ipsg] size = 0
Ingress ARP-Ether ACL [arp-ether] size = 0
ranger+ IPV4 QoS Lite [rp-qos-lite] size = 0
ranger+ IPV4 QoS [rp-qos] size = 256
ranger+ IPV6 QoS [rp-ipv6-qos] size = 0
ranger+ MAC QoS [rp-mac-qos] size = 256
NAT ACL[nat] size = 0
Mpls ACL size = 0
MOD RSVD size = 0
sFlow ACL [sflow] size = 0
mcast bidir ACL [mcast_bidir] size = 0
Openflow size = 0
Openflow Lite [openflow-lite] size = 0
Ingress FCoE Counters [fcoe-ingress] size = 0
Egress FCoE Counters [fcoe-egress] size = 0
Redirect-Tunnel [redirect-tunnel] size = 0
SPAN+sFlow ACL [span-sflow] size = 0
Openflow IPv6 [openflow-ipv6] size = 0
mcast performance ACL [mcast-performance] size = 0
Mpls Double Width ACL size = 0
N9K ARP ACL [n9k-arp-acl] size = 0
N3K V6 Span size = 0
N3K V6 L2 Span size = 0
04-01-2020 05:45 AM - edited 04-01-2020 05:47 AM
Hi,
I hope you copied a copp profile and modified it, and you did not configured a new policy-map. If not, then you are lucky that you got the error, because otherwise your network will be down now. You configured a single class in copp policy-map, so everything else will be dropped.
If you plan to modify a class, first, make sure you copy a desired profile:
Step 1 | copp copy profile {strict | moderate | lenient | dense} {prefix | suffix} string Example:switch# copp copy profile strict prefix abc | Creates a copy of the CoPP best practice policy. CoPP renames all class maps and policy maps with the specified prefix or suffix. |
Step 2 | (Optional) show copp status Example:switch# show copp status | (Optional) Displays the CoPP status, including the last configuration operation and its status. This command also enables you to verify that the copied policy is not attached to the control plane. |
Step 3 | (Optional) show running-config copp Example:switch# show running-config copp | (Optional) Displays the CoPP configuration in the running configuration, including the copied policy configuration. |
Only after that modify the custom classes.
Regarded the TCAM, how did you reallocated the space? did you received any errors? have you reloaded the switch after the change?
Regards,
Sergiu
04-01-2020 10:44 AM
Hi.
> I hope you copied a copp profile and modified it, and you did not configured a new policy-map. If not, then you are lucky that you got the error, because otherwise your network will be down now. You configured a single class in copp policy-map, so everything else will be dropped.
It's demo, so i can do everything and it's doesn't matter :)
> Regarded the TCAM, how did you reallocated the space? did you received any errors? have you reloaded the switch after the change?
With command hardware access-list tcam region and different TCAM regions. Reduce some and increase others.
And after any changes i goes to reboot.
04-01-2020 12:25 PM
Hi,
It's demo, so i can do everything and it's doesn't matter :)
That's good :-) For production, make sure you copy a profile and modify the copy.
With command hardware access-list tcam region and different TCAM regions. Reduce some and increase others.
Try to add more space. Anyway, the COPP TCAM region is by default 95% utilized.
Regards,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide