Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
10
Helpful
3
Replies

ICMP issue for CoPP

Go to solution
aweer1234
Level 1
Level 1

‎01-05-2016 05:57 PM - edited ‎03-05-2019 03:03 AM

Dear All,

    I am new here and our company have one Cisco 7609-S and applied with CoPP policy and set with ICMP rate limited with 1mbps,but after that still have some icmp packet time out when try to ping to interface of router.That's not impact  for customer service but impact with user experience,we would like to change it like customer can success ping 100 packet with no loss at all,could you guys please advise how could i change such situation and get what's packet overhit our CoPP policy with icmp packet?

    We don't like to increased our icmp rate limited because of cpu utilization and need to find which source constantly hit our CoPP policy.

Please find configuration below:

    class CoPP-icmp
police 1000000 1000 4470 conform-action transmit exceed-action drop

Extended IP access list 120
10 permit icmp any any ttl-exceeded (12812465 matches)
20 permit icmp any any port-unreachable (115210794 matches)
30 permit icmp any any echo-reply (3521492 matches)
40 deny icmp host x.x.x.x any echo (121594 matches)
50 permit icmp any any echo (3698236101 matches)
60 permit icmp any any packet-too-big (44507 matches)

Thanks!

--

Regards,

Rex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-05-2016 06:58 PM

I think the safest option is to mirror wherever you think the traffic might be coming from to another port and use Wireshark to do a capture, so you can analyse the traffic off the production platform.

All the other options I can think off will burn even more traffic.

Another potential option is to enable netflow on ingress ports, and use something to analyse the ICMP flows.

View solution in original post

3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-05-2016 06:58 PM

I think the safest option is to mirror wherever you think the traffic might be coming from to another port and use Wireshark to do a capture, so you can analyse the traffic off the production platform.

All the other options I can think off will burn even more traffic.

Another potential option is to enable netflow on ingress ports, and use something to analyse the ICMP flows.

Go to solution
aweer1234
Level 1
Level 1
In response to Philip D'Ath

‎01-07-2016 05:26 PM

Dear Sir,

Thanks for your suggestion! Port mirror will mirrored whole interface not only icmp traffic and i just want to check traffic to cpu...as icmp traffic can come anywhere..I have tried debug ip icmp and see there are many packets  ICMP type=11,is it safe to block such packet or if there will be any performance impacted?

Thanks!

Regards,

Rex

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to aweer1234

‎01-07-2016 05:29 PM

You only need to do it for a while (the port mirror) to get a copy of the data you can take away to analyse.  Type 11 is TTL exceeded.  Frequently cause by a routing loop.

I would try to find the cause of the TTL exceeded's rather than blocking the traffic type.

Customers Also Viewed These Support Documents