cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
3
Helpful
3
Replies

ASR920 Control-Plane Policing: Drop action

Matt Glosson
Level 1
Level 1

Greetings. I have an ASR920 (ASR-920-4SZ-A to be precise), which I know is a bit different in various ways from other IOS/IOS-XE. However, I'm experiencing the same confusion on an ASR 1001-X I have. On our 2921 routers, we have CPP enabled in order to drop certain things. The policy-map we have that we apply to the control-plane looks like this:

policy-map CONTROL-PLANE_PMAP
 class CONTROL-PLANE_CMAP
  drop

When I go into the policy-map on the ASR920, I don't have a "drop" action.

(config)#policy-map CONTROL-PLANE_PMAP
(config-pmap)#class CONTROL-PLANE_CMAP
(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth Bandwidth
exit Exit from class action configuration mode
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping

Unfortunately, "drop" isn't on the list. According to this, it should be. The software version we're running is from 2017:

Cisco IOS XE Software, Version 03.18.03.SP.156-2.SP3-ext
Cisco IOS Software, ASR920 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 15.6(2)SP3, RELEASE SOFTWARE (fc4)

I will upgrade if I know this is an option in the new version. If there is another way to accomplish dropping certain traffic (besides applying an ACL to every interface, which is a last resort) I'm certainly open to that. I did just think of something (a route-map with "ip local policy" but I will still ask my question in case anybody knows why "drop" is not a policy-map option.

3 Replies 3

rainnomm56
Level 1
Level 1

Cisco CoPP consistency across platforms is quite bad:

  • In IOS you have "drop".
  • On C1100 series IOS-XE routers you can simulate drop by configuring drop to both actions "police 8000 conform-action drop exceed-action drop".
  • On C9200CX they say "The creation of user-defined class-maps is not supported". But in lab i was able to add to system-cpp-policy:

class copp-ip-any
police rate 1 pps

This is no exactly drop, but when device is in internet there is enough probing traffic that last term is dropping everything. 

I guess we have to wait when some big customer pressures Cisco to fix CoPP, by making it uniform across platforms. 

Hello
Just to confirm what @rainnomm56 has stated on XE rtr I was able to apply copp at a minimum  8k rate to drop on confirm/exceed/violate actions.

class-map match-all TST_CM
match access-group 100

policy-map TST_PM
class TST_CM
police 8k conform-action drop exceed-action drop violate-action drop

sh policy-map control-plane
Control Plane

Service-policy input: TST_PM

Class-map: TST_CM (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group 100
police:
cir 8000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; actions:
drop
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

thanks for sharing 
MHM

Review Cisco Networking for a $25 gift card