ASR920 Control-Plane Policing: Drop action

Matt Glosson · ‎02-25-2019

Greetings. I have an ASR920 (ASR-920-4SZ-A to be precise), which I know is a bit different in various ways from other IOS/IOS-XE. However, I'm experiencing the same confusion on an ASR 1001-X I have. On our 2921 routers, we have CPP enabled in order to drop certain things. The policy-map we have that we apply to the control-plane looks like this:

policy-map CONTROL-PLANE_PMAP
 class CONTROL-PLANE_CMAP
  drop

When I go into the policy-map on the ASR920, I don't have a "drop" action.

(config)#policy-map CONTROL-PLANE_PMAP
(config-pmap)#class CONTROL-PLANE_CMAP
(config-pmap-c)#?
Policy-map class configuration commands:
 bandwidth         Bandwidth
 exit              Exit from class action configuration mode
 no                Negate or set default values of a command
 police            Police
 priority          Strict Scheduling Priority for this Class
 queue-limit       Queue Max Threshold for Tail Drop
 random-detect     Enable Random Early Detection as drop policy
 service-policy    Configure QoS Service Policy
 set               Set QoS values
 shape             Traffic Shaping

Unfortunately, "drop" isn't on the list. According to this, it should be. The software version we're running is from 2017:

Cisco IOS XE Software, Version 03.18.03.SP.156-2.SP3-ext
Cisco IOS Software, ASR920 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 15.6(2)SP3, RELEASE SOFTWARE (fc4)

I will upgrade if I know this is an option in the new version. If there is another way to accomplish dropping certain traffic (besides applying an ACL to every interface, which is a last resort) I'm certainly open to that. I did just think of something (a route-map with "ip local policy" but I will still ask my question in case anybody knows why "drop" is not a policy-map option.

rainnomm56 · ‎08-30-2024

Cisco CoPP consistency across platforms is quite bad:

In IOS you have "drop".
On C1100 series IOS-XE routers you can simulate drop by configuring drop to both actions "police 8000 conform-action drop exceed-action drop".
On C9200CX they say "The creation of user-defined class-maps is not supported". But in lab i was able to add to system-cpp-policy:

class copp-ip-any
police rate 1 pps

This is no exactly drop, but when device is in internet there is enough probing traffic that last term is dropping everything.

I guess we have to wait when some big customer pressures Cisco to fix CoPP, by making it uniform across platforms.

paul driver · ‎08-30-2024

Hello
Just to confirm what @rainnomm56 has stated on XE rtr I was able to apply copp at a minimum 8k rate to drop on confirm/exceed/violate actions.

class-map match-all TST_CM
match access-group 100

policy-map TST_PM
class TST_CM
police 8k conform-action drop exceed-action drop violate-action drop

sh policy-map control-plane
Control Plane

Service-policy input: TST_PM

Class-map: TST_CM (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group 100
police:
cir 8000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; actions:
drop
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎09-01-2024

thanks for sharing
MHM