02-25-2019 03:10 PM
Greetings. I have an ASR920 (ASR-920-4SZ-A to be precise), which I know is a bit different in various ways from other IOS/IOS-XE. However, I'm experiencing the same confusion on an ASR 1001-X I have. On our 2921 routers, we have CPP enabled in order to drop certain things. The policy-map we have that we apply to the control-plane looks like this:
policy-map CONTROL-PLANE_PMAP
class CONTROL-PLANE_CMAP
drop
When I go into the policy-map on the ASR920, I don't have a "drop" action.
(config)#policy-map CONTROL-PLANE_PMAP
(config-pmap)#class CONTROL-PLANE_CMAP
(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth Bandwidth
exit Exit from class action configuration mode
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping
Unfortunately, "drop" isn't on the list. According to this, it should be. The software version we're running is from 2017:
Cisco IOS XE Software, Version 03.18.03.SP.156-2.SP3-ext
Cisco IOS Software, ASR920 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 15.6(2)SP3, RELEASE SOFTWARE (fc4)
I will upgrade if I know this is an option in the new version. If there is another way to accomplish dropping certain traffic (besides applying an ACL to every interface, which is a last resort) I'm certainly open to that. I did just think of something (a route-map with "ip local policy" but I will still ask my question in case anybody knows why "drop" is not a policy-map option.
08-30-2024 04:06 AM
Cisco CoPP consistency across platforms is quite bad:
class copp-ip-any
police rate 1 pps
This is no exactly drop, but when device is in internet there is enough probing traffic that last term is dropping everything.
I guess we have to wait when some big customer pressures Cisco to fix CoPP, by making it uniform across platforms.
08-30-2024 06:05 AM - edited 08-30-2024 06:06 AM
Hello
Just to confirm what @rainnomm56 has stated on XE rtr I was able to apply copp at a minimum 8k rate to drop on confirm/exceed/violate actions.
class-map match-all TST_CM
match access-group 100
policy-map TST_PM
class TST_CM
police 8k conform-action drop exceed-action drop violate-action drop
sh policy-map control-plane
Control Plane
Service-policy input: TST_PM
Class-map: TST_CM (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group 100
police:
cir 8000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; actions:
drop
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
09-01-2024 08:30 AM
thanks for sharing
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide