Re: Verifying CoPP violation

Junior19 · ‎02-26-2023

Hi All,

Greeting!

I'm trying to test out the CoPP violation on C9600 switch.

By this guide,

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/softwasimire/release/16-11/configuration_guide/sec/b_1611_sec_9600_cg/b_1611_sec_9600_cg_chapter_0101000.html

I understand that policing rate can be modified. However, I couldn't think of and find out how to simulate and verify the violation.

There are 21 Class-map in total and I'd like to test out to reach the violation.

Any pointers, documents and posts to be would much appreciated.

Thanks,

Junior

balaji.bandi · ‎02-27-2023

i had downloaded some time i was reading some site I found over the internet for CCNP

check the attachment for reference :

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Junior19 · ‎02-28-2023

@balaji.bandi

I've found that document and read through it. As far as I understand, it is implementing own ACLs class-maps along with policy map and set it onto CoPP. In this case, I realized it will obviously hit the exceeded as long as I set minimum. I think that case is different from mine.

Thanks for the pointer anyway. If you have more thoughts on this, feel free to let me know.

Best,

MHM Cisco World · ‎02-27-2023

Switch(config-pmap-c)#police rate 10 pps <<- first assign low pps then ping to interface of SW, you will see some packet drop

Junior19 · ‎02-28-2023

@MHM Cisco World

ICMP traffic cpu queue is related to class system-cpp- police-data.

default parameter as follows;

class system-cpp-police-data
police rate 750 pps

when I assign it to 10 pps, the min pps allowed to set for this value is 250 pps. Then while pinging successfully from another box, I collect the show policy-map contorl-plane, it does not even hit the conformed bytes.

C9606R_CS01(config-pmap-c-police)#do sh policy-map control-plane | i Class-map|conformed|exceed
Class-map: system-cpp-police-ios-routing (match-any)
conformed 4402238 bytes; actions:
exceeded 0 bytes; actions:
Class-map: system-cpp-police-ios-feature (match-any)
conformed 61458 bytes; actions:
exceeded 0 bytes; actions:
Class-map: system-cpp-police-data (match-any)
conformed 0 bytes; actions:
exceeded 0 bytes; actions:

Any idea would be much appreciated.

Best,

MHM Cisco World · ‎02-28-2023

that OK,
only do ping with repeat 1000 and check the drop

Junior19 · ‎02-28-2023

I did ping repeat 100000. No dropping on ping as well as no hitting on class. And I wonder how to ping or how to make to hit the class, at least to see conformed bytes.

MHM Cisco World · ‎02-28-2023

exceeded 0 bytes; actions: <<- add action drop to control plane and check again

Junior19 · ‎03-06-2023

@MHM Cisco World sorry for my delay response. I was a bit under weather for some days.

actually. actions: drop has been configured by default. my previous output was taken by filter. Here is complete default config.

C9606R_CS01(config-pmap-c-police)#do sh policy-map control-plane
Control Plane

Service-policy input: system-cpp-policy

Class-map: system-cpp-police-ios-routing (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 16000 pps, burst 3906 packets
conformed 28937588 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-ios-feature (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 6000 pps, burst 1464 packets
conformed 61458 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-data (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 250 pps, burst 61 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-sys-data (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 250 pps, burst 61 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-sw-forward (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 1000 pps, burst 244 packets
conformed 78 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-multicast (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 500 pps, burst 122 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-multicast-end-station (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 2000 pps, burst 488 packets
conformed 256 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-punt-webauth (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 1000 pps, burst 244 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-l2-control (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 2000 pps, burst 488 packets
conformed 7059268 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-stackwise-virt-control (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 8000 pps, burst 1953 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-routing-control (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 5500 pps, burst 1342 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-system-critical (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 1000 pps, burst 244 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-l2lvx-control (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 1000 pps, burst 244 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-topology-control (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 16000 pps, burst 3906 packets
conformed 21878320 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-dot1x-auth (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 1000 pps, burst 244 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-protocol-snooping (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 2000 pps, burst 488 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-dhcp-snooping (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 500 pps, burst 122 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-forus (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 4000 pps, burst 976 packets
conformed 61124 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 2000 pps, burst 488 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-high-rate-app (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 13000 pps, burst 3173 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Class-map: system-cpp-police-ewlc-control (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 13000 pps, burst 3173 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Any idea?

Best,

Junior

MHM Cisco World · ‎03-06-2023

I will try lab this case and I will share result with you.

Junior19 · ‎03-07-2023

I got conformed packet hits on system-cpp-police-data. I made the C9600 to generate the ICMP destination host unreachable.

On a device, I set c9600 IP as gateway. ping from a device to unreachable host so as to get C9600 to generate the ICMP destination host unreachable. If I can generate this kind of process with a high performance box, reducing the police rate to min 250 pps, I think it might hit the exceeded.

Class-map: system-cpp-police-data (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
police:
rate 750 pps, burst 183 packets
conformed 107973 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Again, I still need to figure out which kind of packet/process needed to hit conformed at least for the other policy/class.

Best,

MHM Cisco World · ‎03-08-2023

ping <SVI of any VLAN>  count 1000 packet-size 800

CoPP will act only to traffic designated to CPU (any IP assign in SW)
Verify Control Plane Policing Violations on Nexus Platforms - Cisco