Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1014
Views
0
Helpful
2
Replies

ASR920 CoPP not working

bozo.bogd
Level 1
Level 1

‎02-11-2021 02:27 PM

Hi guys,

 

I seem to have an issue with control-plane policing with ASR-920-24SZ-M.

 

Configuration is accepted, applied but traffic just doesn't hit it.

 

I'am running version asr920-universalk9_npe.16.09.05f.SPA.bin

ACL's are simplified as much as they can be, following  :

https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/qos/qos-plcshp-xe-3-13s-asr920-book/qos-plcshp-xe-3-13s-asr920-book_chapter_011.html

 

 

configuration :

==========

Extended IP access list COPP-DEFAULT-ACL
10 permit ip any any
Extended IP access list COPP-DENIED-ACL
10 permit tcp any any eq telnet
20 permit tcp any eq telnet any established
30 permit tcp any any eq 22
40 permit tcp any eq 22 any established
50 permit udp any any eq snmp
60 permit udp any any eq ntp
70 permit udp any any eq 443
80 permit udp any any eq 80
90 permit tcp any any eq ftp
100 permit tcp any any eq ftp-data
110 permit tcp any any eq bgp rst
Extended IP access list COPP-MANAGEMENT-ACL
10 permit ip 192.168.1.0 0.0.0.255 any
Extended IP access list COPP-NORMAL-ACL
10 permit icmp any any echo
20 permit icmp any any echo-reply
Extended IP access list COPP-ROUTING-ACL
10 permit tcp any any eq bgp
20 permit tcp any eq bgp any

 

==========

IPv6 access list IPV6-COPP-DEFAULT-ACL
permit ipv6 any any sequence 10
IPv6 access list IPV6-COPP-DENIED-ACL
permit tcp any any eq telnet sequence 10
permit tcp any eq telnet any established sequence 20
permit tcp any any eq 22 sequence 30
permit tcp any eq 22 any established sequence 40
permit udp any any eq snmp sequence 50
permit udp any any eq ntp sequence 60
permit udp any any eq 443 sequence 70
permit udp any any eq 80 sequence 80
permit tcp any any eq ftp sequence 90
permit tcp any any eq ftp-data sequence 100
IPv6 access list IPV6-COPP-MANAGEMENT-ACL
permit ipv6 2A03:7777:2::/48 any sequence 10
IPv6 access list IPV6-COPP-ROUTING-ACL
permit tcp any any eq bgp sequence 10
permit tcp any eq bgp any sequence 20

 

 

==========

 

class-map match-any COPP-DENIED
match access-group name COPP-DENIED-ACL
class-map match-all IPV6-COPP-ROUTING
match access-group name IPV6-COPP-ROUTING-ACL
class-map match-all COPP-MANAGEMENT
match access-group name COPP-MANAGEMENT-ACL
class-map match-any COPP-NORMAL
match access-group name COPP-NORMAL-ACL
class-map match-any IPV6-COPP-DEFAULT
match access-group name IPV6-COPP-DEFAULT-ACL
class-map match-all IPV6-COPP-MANAGEMENT
match access-group name IPV6-COPP-MANAGEMENT-ACL
class-map match-any IPV6-COPP-NORMAL
match access-group name IPV6-COPP-NORMAL-ACL
class-map match-any COPP-DEFAULT
match access-group name COPP-DEFAULT-ACL
class-map match-any IPV6-COPP-DENIED
match access-group name IPV6-COPP-DENIED-ACL
class-map match-all COPP-ROUTING
match access-group name COPP-ROUTING-ACL
!

==========

for testing purpose everything is set to transmit :

 

policy-map COPP
class COPP-ROUTING
police 1000000 187500 conform-action transmit exceed-action transmit
class IPV6-COPP-ROUTING
police 10000000 187500 conform-action transmit exceed-action transmit
class COPP-MANAGEMENT
police 10000000 18750 conform-action transmit exceed-action transmit
class IPV6-COPP-MANAGEMENT
police 10000000 18750 conform-action transmit exceed-action transmit

class COPP-DENIED
police 64000 pir 64000 conform-action transmit exceed-action transmit violate-action transmit
class IPV6-COPP-DENIED
police 64000 pir 64000 conform-action transmit exceed-action transmit violate-action transmit
class COPP-NORMAL
police 64000 12000 pir 64000 conform-action transmit exceed-action transmit violate-action transmit
class IPV6-COPP-NORMAL
police 64000 12000 pir 64000 conform-action transmit exceed-action transmit violate-action transmit
class COPP-DEFAULT
police 64000 8000 pir 64000 conform-action transmit exceed-action transmit violate-action transmit
class IPV6-COPP-DEFAULT
police 64000 8000 pir 64000 conform-action transmit exceed-action transmit violate-action transmit

 

==========

control-plane
service-policy input COPP
!

 

==========

output :

==========

asr12#show policy-map control-plane
Control Plane

Service-policy input: COPP

Class-map: COPP-ROUTING (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name COPP-ROUTING-ACL
police:
cir 1000000 bps, bc 187500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps

Class-map: IPV6-COPP-ROUTING (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name IPV6-COPP-ROUTING-ACL
police:
cir 10000000 bps, bc 187500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps

Class-map: COPP-MANAGEMENT (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name COPP-MANAGEMENT-ACL
police:
cir 10000000 bps, bc 18750 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps

Class-map: IPV6-COPP-MANAGEMENT (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name IPV6-COPP-MANAGEMENT-ACL
police:
cir 10000000 bps, bc 18750 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps

Class-map: COPP-DENIED (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name COPP-DENIED-ACL
police:
cir 64000 bps, bc 8000 bytes
pir 64000 bps, be 8000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: IPV6-COPP-DENIED (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name IPV6-COPP-DENIED-ACL
police:
cir 64000 bps, bc 8000 bytes
pir 64000 bps, be 8000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: COPP-NORMAL (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name COPP-NORMAL-ACL
police:
cir 64000 bps, bc 12000 bytes
pir 64000 bps, be 8000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: IPV6-COPP-NORMAL (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name IPV6-COPP-NORMAL-ACL
police:
cir 64000 bps, bc 12000 bytes
pir 64000 bps, be 8000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: COPP-DEFAULT (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name COPP-DEFAULT-ACL
police:
cir 64000 bps, bc 8000 bytes
pir 64000 bps, be 8000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: IPV6-COPP-DEFAULT (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name IPV6-COPP-DEFAULT-ACL
police:
cir 64000 bps, bc 8000 bytes
pir 64000 bps, be 8000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
transmit
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

 

 

Any idea would be much appreciated

 

Thank you

 

 

 

 

 

 

 

 

2 people had this problem
Labels:
0 Helpful
2 Replies 2

network_baba
Level 1
Level 1

‎09-12-2022 12:33 PM

Did you ever get any resolution on this? Having a very similar situation on 16.12.3 on ASR920-4SZ

0 Helpful

network_baba
Level 1
Level 1

‎03-30-2023 11:34 AM - edited ‎03-30-2023 11:34 AM

was able to fix my issue, not sure about you though.

 

ASR920 platform has a TCAM limit on the ACL size that can be applied to the Control-Plane. I think it's like 127 ACEs. And also, I don't think it supports IPv6 for COPP.

0 Helpful
Customers Also Viewed These Support Documents