10-19-2023 12:03 AM
I had intermittent ping drop issues which initiate ping from the switch itself when ping to it's own SVI ip address
Switch#show ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan10 192.168.24.14 YES NVRAM up up
ping 192.168.24.14 source 192.168.24.14
Below are the class-maps:
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy <-- Notice no class-maps below this policy-map, are any of the class-maps in used?
control-plane
service-policy input system-cpp-policy
The ping drop issue was resolved after I executed the command below on the switch:
configure terminal
policy-map system-cpp-policy
class system-cpp-police-forus
no police rate 2000 pps
end
Firstly, I do not understand why removing police rate resolve the issue and how can you tell this is the class-map to remove police rate?
Also why is class-map system-cpp-police-forus showing 0 packets 0 bytes hit since the issue is resolved?
switch# show policy-map control-plane
Control Plane
Class-map: system-cpp-police-forus (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps
Match: none
Also if class-map system-cpp-police-forus is not hit, shouldn't it hit the default class-map? I notice Class-map class-default is also showing 0 packets, 0 bytes?
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
10-19-2023 12:19 AM
system-cpp-police-forus
Forus this CoPP class for any traffic toward any IP in SW.
That why when you add rate it work.
10-19-2023 12:31 AM
As per my earlier questions how can you tell 'system-cpp-police-forus' is in used? Also please explain on why rate is added as the command executed is 'no police rate 2000 pps'.?
10-19-2023 12:41 AM
Show policy-map control plane class .....
This give you some more detail about forus
For rate increase rate to be 4000' I think defualt is higher that 2000 and that make ping work.
10-19-2023 10:52 PM
Any idea why it shows 0 packets, 0 bytes here? Also increasing the rate to 4000 pps don't work.
10-19-2023 10:57 PM - edited 10-19-2023 10:59 PM
The conformed count is increasing' this indicates that traffic hit this policy.
For first packet/byted count this as I remember is for acl' the ISR with ios xe can count traffic hit acl of policy but the SW ios xe can not count since acl is done in HW.
Make ping and check conformed.
https://www.networktut.com/control-plane-policing-copp-tutorial
10-19-2023 11:38 PM
Exceeded 0 bytes but the issue still there. You mean there is a need to configure CoPP using customized class-map and policy-map?
10-19-2023 11:56 PM
You share two output
One exceeded count is 560 and other is zero.
I think first show is when you config rate 4000.
Customized class map with acl' hmmm that I need to check how acl must be config.
MHM
11-14-2023 09:45 PM
Any clue on the customize class-map and ACL to add?
Please explain why the initial config of policy-map system-cpp-policy do not have any class-map define below it, does that mean it is not in use? However why disabling the police rate 'no police rate 2000 pps' resolved the issue?
policy-map system-cpp-policy
class system-cpp-police-forus
no police rate 2000 pps
11-14-2023 11:18 PM
Friend there are two
Policy-map <<- this use to set rate .....etc. and it used class-map under it.
Class-map <<- this use to match traffic
In your case the policy dont have class-map and it match all traffic pass through' and you can see in show
Match-any <<- meaning matcg any traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide