How to verify CoPP Class-map

Kenneth Goh · ‎10-19-2023

I had intermittent ping drop issues which initiate ping from the switch itself when ping to it's own SVI ip address

Switch#show ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan10 192.168.24.14 YES NVRAM up up

ping 192.168.24.14 source 192.168.24.14

Below are the class-maps:

class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy <-- Notice no class-maps below this policy-map, are any of the class-maps in used?

control-plane
service-policy input system-cpp-policy

The ping drop issue was resolved after I executed the command below on the switch:

configure terminal
policy-map system-cpp-policy
class system-cpp-police-forus
no police rate 2000 pps
end

Firstly, I do not understand why removing police rate resolve the issue and how can you tell this is the class-map to remove police rate?

Also why is class-map system-cpp-police-forus showing 0 packets 0 bytes hit since the issue is resolved?

switch# show policy-map control-plane
Control Plane

Class-map: system-cpp-police-forus (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps
Match: none

Also if class-map system-cpp-police-forus is not hit, shouldn't it hit the default class-map? I notice Class-map class-default is also showing 0 packets, 0 bytes?

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

MHM Cisco World · ‎10-19-2023

system-cpp-police-forus

Forus this CoPP class for any traffic toward any IP in SW.

That why when you add rate it work.

Kenneth Goh · ‎10-19-2023

As per my earlier questions how can you tell 'system-cpp-police-forus' is in used? Also please explain on why rate is added as the command executed is 'no police rate 2000 pps'.?

MHM Cisco World · ‎10-19-2023

Show policy-map control plane class .....

This give you some more detail about forus

For rate increase rate to be 4000' I think defualt is higher that 2000 and that make ping work.

Kenneth Goh · ‎10-19-2023

Any idea why it shows 0 packets, 0 bytes here? Also increasing the rate to 4000 pps don't work.

MHM Cisco World · ‎10-19-2023

The conformed count is increasing' this indicates that traffic hit this policy.

For first packet/byted count this as I remember is for acl' the ISR with ios xe can count traffic hit acl of policy but the SW ios xe can not count since acl is done in HW.

Make ping and check conformed.

https://www.networktut.com/control-plane-policing-copp-tutorial

Kenneth Goh · ‎10-19-2023

Exceeded 0 bytes but the issue still there. You mean there is a need to configure CoPP using customized class-map and policy-map?

MHM Cisco World · ‎10-19-2023

You share two output

One exceeded count is 560 and other is zero.

I think first show is when you config rate 4000.

Customized class map with acl' hmmm that I need to check how acl must be config.

MHM

Kenneth Goh · ‎11-14-2023

Any clue on the customize class-map and ACL to add?

Please explain why the initial config of policy-map system-cpp-policy do not have any class-map define below it, does that mean it is not in use? However why disabling the police rate 'no police rate 2000 pps' resolved the issue?

policy-map system-cpp-policy
class system-cpp-police-forus
no police rate 2000 pps

MHM Cisco World · ‎11-14-2023

Friend there are two

Policy-map <<- this use to set rate .....etc. and it used class-map under it.

Class-map <<- this use to match traffic

In your case the policy dont have class-map and it match all traffic pass through' and you can see in show

Match-any <<- meaning matcg any traffic.