Re: Default CoPP configuration for C9400-SUP2

bim87 · ‎03-02-2023

I've been working on configuring a C9407R w/ two SUP2 modules installed and flashed both with IOS-XE 17.10.1 (the only image options available to flash on these modules are 17.7.1, 17.8.1, 17.9.1, 17.10.1 - all ED). This platform will be replacing a C6509-E w/ SUP2T modules running 15.05SY. Some problems I've been running into with the config is in the policy mapping for autocopp. From the C6509-E, the following is what's set (and matches the default autocopp configuration from the guides):

policy-map policy-default-autocopp
class class-copp-mcast-v4-data-on-routedPort
police rate 10 pps burst 1 packets
conform-action drop
exceed-action drop
class class-copp-mcast-v6-data-on-routedPort
police rate 10 pps burst 1 packets
conform-action drop
exceed-action drop
class class-copp-icmp-redirect-unreachable
police rate 100 pps burst 10 packets
conform-action transmit
exceed-action drop
class class-copp-ucast-rpf-fail
police rate 100 pps burst 10 packets
conform-action transmit
exceed-action drop
class class-copp-vacl-log
police rate 2000 pps burst 1 packets
conform-action transmit
exceed-action drop
class class-copp-mcast-punt
police rate 1000 pps burst 256 packets
conform-action transmit
exceed-action drop
class class-copp-mcast-copy
police rate 1000 pps burst 256 packets
conform-action transmit
exceed-action drop
class class-copp-ip-connected
police rate 1000 pps burst 256 packets
conform-action transmit
exceed-action drop
class class-copp-ipv6-connected
police rate 1000 pps burst 256 packets
conform-action transmit
exceed-action drop
class class-copp-match-pim-data
police rate 1000 pps burst 1000 packets
conform-action transmit
exceed-action drop
class class-copp-match-pimv6-data
police rate 1000 pps burst 1000 packets
conform-action transmit
exceed-action drop
class class-copp-match-mld
police rate 5000 pps burst 5000 packets
conform-action set-discard-class-transmit 48
exceed-action transmit
class class-copp-match-igmp
police rate 5000 pps burst 5000 packets
conform-action set-discard-class-transmit 48
exceed-action transmit
class class-copp-match-ndv6
police rate 1000 pps burst 1000 packets
conform-action set-discard-class-transmit 48
exceed-action drop

I haven't been able to find an easy way to set the same default CoPP configuration, like that above, on the C9407R with one command like you can on the 6509 (i.e. policy-map policy-default-autocopp).

I also noticed for some of the class-map policies that the following conforming action

conform-action set-discard-class-transmit 48

set-discard-class-transmit doesn't accept values outside of 0-7, so how does that incorporate a value of 48 in the default configuration?

pieterh · ‎03-03-2023

maybe this document helps?
Security Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9300 Switches) - Configuring Control Plane Policing [Support] - Cisco
The show run command does not display information about classes configured under system-cpp policy, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands instead

Enter the cpp system-default command in global configuration mode To get the latest, default policer rates.

bim87 · ‎03-08-2023

So did system-cpp-policy basically replace policy-default-autocopp? Because after I configure the C9407R with policy-map system-cpp-policy it doesn't show all the default classes and police rates with a standard show run. I have to do a sh run all, and even then it has the following classes with rates, but no actions applied:

policy-map system-cpp-policy
 class system-cpp-police-ios-routing
  police rate 13000 pps
 class system-cpp-police-ios-feature
  police rate 6000 pps
 class system-cpp-police-data
  police rate 750 pps
 class system-cpp-police-sys-data
  police rate 250 pps
 class system-cpp-police-sw-forward
  police rate 1000 pps
 class system-cpp-police-multicast
  police rate 500 pps
 class system-cpp-police-multicast-end-station
  police rate 2000 pps
 class system-cpp-police-punt-webauth
  police rate 1000 pps
 class system-cpp-police-l2-control
  police rate 2000 pps
 class system-cpp-police-stackwise-virt-control
  police rate 8000 pps
 class system-cpp-police-routing-control
  police rate 5500 pps
 class system-cpp-police-system-critical
  police rate 1000 pps
 class system-cpp-police-l2lvx-control
  police rate 1000 pps
 class system-cpp-police-topology-control
  police rate 13000 pps
 class system-cpp-police-dot1x-auth
  police rate 1000 pps
 class system-cpp-police-protocol-snooping
  police rate 2000 pps
 class system-cpp-police-dhcp-snooping
  police rate 500 pps
 class system-cpp-police-forus
  police rate 4000 pps
 class system-cpp-default
  police rate 2000 pps
 class system-cpp-police-high-rate-app
  police rate 13000 pps
 class system-cpp-police-ewlc-control
  police rate 13000 pps

MHM Cisco World · ‎03-08-2023

show policy-map control-plane

share this please

bim87 · ‎03-08-2023

This is what populates

Device#show policy-map control-plane
 Control Plane

  Service-policy input: system-cpp-policy

    Class-map: system-cpp-police-ios-routing (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 13000 pps, burst 3173 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-ios-feature (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 6000 pps, burst 1464 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-data (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 750 pps, burst 183 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-sys-data (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 250 pps, burst 61 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-sw-forward (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 1000 pps, burst 244 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-multicast (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 500 pps, burst 122 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-multicast-end-station (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 2000 pps, burst 488 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-punt-webauth (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 1000 pps, burst 244 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-l2-control (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 2000 pps, burst 488 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-stackwise-virt-control (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 8000 pps, burst 1953 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-routing-control (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 5500 pps, burst 1342 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-system-critical (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 1000 pps, burst 244 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-l2lvx-control (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 1000 pps, burst 244 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-topology-control (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 13000 pps, burst 3173 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-dot1x-auth (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 1000 pps, burst 244 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-protocol-snooping (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 2000 pps, burst 488 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-dhcp-snooping (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 500 pps, burst 122 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-forus (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 4000 pps, burst 976 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 2000 pps, burst 488 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-high-rate-app (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 13000 pps, burst 3173 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: system-cpp-police-ewlc-control (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: none
      police:
          rate 13000 pps, burst 3173 packets
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any

MHM Cisco World · ‎03-08-2023

what you share is answer for your Q,
the action appear under each line