Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
0
Helpful
3
Replies

Nexus 6k ICMP Copp Violations: Identifying the Source IPs

Go to solution
CiscoMedMed
Level 1
Level 1

‎03-21-2020 06:07 PM

I ran into ping responsiveness problems on my Nexus 6ks last week. I think I know the cause - waiting for a change window to address that. But in the meantime I'd like to know - what's the least impactful means of finding out what the sources addresses are of those ICMP Copp policy violations? IP accounting? Access lists with permits and logs? Some command for Copp that would output say 500 samplings of the violation traffic? Thank you. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
CiscoMedMed
Level 1
Level 1

‎03-23-2020 08:02 PM

The answer was to use ethanalyzer to see what was hitting the control plane..

 

CORE01# ethanalyzer local interface inbound-low display-filter icmp limit-captured-frames 10000 write bootflash:icmp_cap.pcap
 
copy bootflash:icmp_cap.pcap tftp://10.1.10.15/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-21-2020 07:03 PM

you can do control place policy these kind of ping/ ssh /telenet attacks to the device from Local known network also, not necesary from outside network, so you can limit only certain rest can be drop and logged to syslog server and take action like send email or alerts to admin if that is exceeded.

 

example : 7K example same works nexus code.

 

https://community.cisco.com/t5/networking-documents/icmp-ping-drops-when-pinging-from-nexus-7000/ta-p/3125996

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
CiscoMedMed
Level 1
Level 1
In response to balaji.bandi

‎03-21-2020 09:03 PM

I'd spoken with TAC and they recommended not modifying anything about copp policies nor moving off the default. I think to log the violations I'd had to add a new policy and move off the default. No? 

0 Helpful

Go to solution
CiscoMedMed
Level 1
Level 1

‎03-23-2020 08:02 PM

The answer was to use ethanalyzer to see what was hitting the control plane..

 

CORE01# ethanalyzer local interface inbound-low display-filter icmp limit-captured-frames 10000 write bootflash:icmp_cap.pcap
 
copy bootflash:icmp_cap.pcap tftp://10.1.10.15/
0 Helpful
Customers Also Viewed These Support Documents