Core Issue

      When you login to the Nexus 7000 switch and ping continuously any device, you may notice packet losses. The percentage of packet loss increases when you increase the icmp packet size.

Nexus7000# ping 10.10.10.50 count 20 packet-size 1472
PING 10.10.10.50 (10.10.10.50): 1472 data bytes
1480 bytes from 10.10.10.50: icmp_seq=0 ttl=63 time=1.145 ms
1480 bytes from 10.10.10.50: icmp_seq=1 ttl=63 time=0.552 ms
1480 bytes from 10.10.10.50: icmp_seq=2 ttl=63 time=0.796 ms
1480 bytes from 10.10.10.50: icmp_seq=3 ttl=63 time=0.798 ms
1480 bytes from 10.10.10.50: icmp_seq=4 ttl=63 time=1.195 ms
1480 bytes from 10.10.10.50: icmp_seq=5 ttl=63 time=1.197 ms
1480 bytes from 10.10.10.50: icmp_seq=6 ttl=63 time=1.197 ms
1480 bytes from 10.10.10.50: icmp_seq=7 ttl=63 time=1.196 ms
1480 bytes from 10.10.10.50: icmp_seq=8 ttl=63 time=1.201 ms
1480 bytes from 10.10.10.50: icmp_seq=9 ttl=63 time=1.189 ms
1480 bytes from 10.10.10.50: icmp_seq=10 ttl=63 time=1.051 ms
Request 11 timed out.
1480 bytes from 10.10.10.50: icmp_seq=12 ttl=63 time=0.952 ms
1480 bytes from 10.10.10.50: icmp_seq=13 ttl=63 time=1.106 ms
1480 bytes from 10.10.10.50: icmp_seq=14 ttl=63 time=1.22 ms
1480 bytes from 10.10.10.50: icmp_seq=15 ttl=63 time=1.222 ms
1480 bytes from 10.10.10.50: icmp_seq=16 ttl=63 time=1.22 ms
1480 bytes from 10.10.10.50: icmp_seq=17 ttl=63 time=1.106 ms
1480 bytes from 10.10.10.50: icmp_seq=18 ttl=63 time=1.218 ms
1480 bytes from 10.10.10.50: icmp_seq=19 ttl=63 time=1.216 ms

--- 10.10.10.50 ping statistics ---
20 packets transmitted, 19 packets received, 5.00% packet loss
round-trip min/avg/max = 0.552/1.093/1.222 ms

Resolution

It is an expected behaviour. By Default Nexus 7000 Series switches have CoPP (Control Plane Policing) configured. CoPP configuration protects the Switch CPU from the DoS attacks. The class map copp-system-class-monitoring matches the icmp packets and polices with the value 130Kbps.

class-map type control-plane match-any copp-system-class-monitoring
  match access-group name copp-system-acl-icmp
  match access-group name copp-system-acl-icmp6
  match access-group name copp-system-acl-traceroute

policy-map type control-plane copp-system-policy

  class copp-system-class-monitoring
   set cos 1
   police cir 130 kbps bc 1000 ms conform transmit violate drop

You can monitor the CoPP statistics that drops the ICMP packets using the below command

Nexus7000# show policy-map interface control-plane class copp-system-class-monitoring

control Plane

  service-policy  input: copp-system-policy

    class-map copp-system-class-monitoring (match-any)
      match access-grp name copp-system-acl-icmp
      match access-grp name copp-system-acl-icmp6
      match access-grp name copp-system-acl-traceroute
      set cos 1
      police cir 130 kbps , bc 1000 ms
      module 1 :
        conformed 477438 bytes; action: transmit
        violated 29352 bytes; action: drop                             <<<<   This counter increments when you see the packet loss in the ping,

      module 2 :
        conformed 0 bytes; action: transmit
        violated 0 bytes; action: drop

      module 3 :
        conformed 0 bytes; action: transmit
        violated 0 bytes; action: drop

As it is mentioned earlier in this document, it is an expected behaviour. Packet loss when you ping from or to Nexus 7000 series switches do not represent the performance of the Nexus 7000 Switch for the packets traversing through the Switch. The packet traversing through the switch is handled by the switch hardware (Data Plane). When you ping from the switch or to the switch, those packets are handled by Switch CPU (Control Plane).

Conclusion

When you troubleshoot an application performance and you want to verify the Nexus 7000 switch is the cause of the slow performance, do not perform the ping test from or to Nexus 7000 series switches. Rather test the connectivity by passing the traffic through the Nexus 7000 series switches.