02-03-2015 09:49 PM - edited 03-07-2019 10:30 PM
Hi
We recently swapped out our 6509 Core Lan switches for a pair of Nexus 9396 and moved all layer 3 to the Nexus. One of the problems we noticed was DHCP relay configured on the Nexus did not appear to be functioning properly as all users in the various vlans that lived on the Nexus would complain of intermittent DHCP issues where they would be unable to obtain an IP address. What we did was move the DHCP relay function back on the original 6509 switches which we kept connected to the Nexus 9K, all the while leaving the actual routing on the N9K for all those vlans. The result was immediate, DHCP worked right away for all the vlans. During investigation we noticed an extremely high rate of dropped packet in the control plane, the default COPP profile for the N9K is set to strict, from looking at the rate, I do not even believe using the lenient COPP profile would help as the drop rate is so high especially for the DHCP relay class and the default class where we are seeing 10 times the drop rate when compared to the transmit rate. I have pasted the output , of course the class "copp-system-p-class-normal-dhcp-relay-response" counters are no longer incrementing which would make sense since we put the DHCP relay function back on the downstream 6509, before we did that the drops were just incrementing at an alarming rate. So we really suspect this COPP profile was causing the intermittent DHCP problems accross all vlans. Is this kind of drop rate normal, if you look at the default class, it's alarming. My concern about removing the COPP policy is that high rate of drops would then be put onto the CPU therefore I would imagine the switch CPU would get overwhelmed. Has anyone seen this before? I realize the 9396 is a fairly new platform. We also have a 6K at another site with the default COPP policy and there are no drops although the function of that switch is more of a Data Center Core as opposed this the N9K where we are using more as a standard LANCORE within a type large office user environment.
Even as of this writing, the default class packets dropped increased by a million in about 10-15 minutes
Thanks
Control Plane
Service-policy input: copp-system-p-policy-strict
class-map copp-system-p-class-critical (match-any)
match access-group name copp-system-p-acl-bgp
match access-group name copp-system-p-acl-rip
match access-group name copp-system-p-acl-vpc
match access-group name copp-system-p-acl-bgp6
match access-group name copp-system-p-acl-ospf
match access-group name copp-system-p-acl-rip6
match access-group name copp-system-p-acl-eigrp
match access-group name copp-system-p-acl-ospf6
match access-group name copp-system-p-acl-eigrp6
match access-group name copp-system-p-acl-auto-rp
match access-group name copp-system-p-acl-mac-l2pt
match access-group name copp-system-p-acl-mac-l3-isis
set cos 7
police cir 19000 pps , bc 128 packets
module 1 :
transmitted 3398529 packets;
dropped 0 packets;
class-map copp-system-p-class-important (match-any)
match access-group name copp-system-p-acl-glbp
match access-group name copp-system-p-acl-hsrp
match access-group name copp-system-p-acl-vrrp
match access-group name copp-system-p-acl-wccp
match access-group name copp-system-p-acl-hsrp6
match access-group name copp-system-p-acl-mac-lldp
match access-group name copp-system-p-acl-icmp6-msgs
match access-group name copp-system-p-acl-mac-flow-control
set cos 6
police cir 3000 pps , bc 128 packets
module 1 :
transmitted 9269082 packets;
dropped 0 packets;
class-map copp-system-p-class-multicast-router (match-any)
match access-group name copp-system-p-acl-pim
match access-group name copp-system-p-acl-msdp
match access-group name copp-system-p-acl-pim6
match access-group name copp-system-p-acl-pim-reg
match access-group name copp-system-p-acl-pim6-reg
match access-group name copp-system-p-acl-pim-mdt-join
set cos 6
police cir 3000 pps , bc 128 packets
module 1 :
transmitted 19951 packets;
dropped 0 packets;
class-map copp-system-p-class-management (match-any)
match access-group name copp-system-p-acl-ftp
match access-group name copp-system-p-acl-ntp
match access-group name copp-system-p-acl-ssh
match access-group name copp-system-p-acl-ntp6
match access-group name copp-system-p-acl-sftp
match access-group name copp-system-p-acl-snmp
match access-group name copp-system-p-acl-ssh6
match access-group name copp-system-p-acl-tftp
match access-group name copp-system-p-acl-tftp6
match access-group name copp-system-p-acl-radius
match access-group name copp-system-p-acl-tacacs
match access-group name copp-system-p-acl-telnet
match access-group name copp-system-p-acl-radius6
match access-group name copp-system-p-acl-tacacs6
match access-group name copp-system-p-acl-telnet6
set cos 2
police cir 3000 pps , bc 32 packets
module 1 :
transmitted 74196415 packets;
dropped 411817863 packets;
class-map copp-system-p-class-l3mc-data (match-any)
match exception multicast rpf-failure
match exception multicast dest-miss
set cos 1
police cir 3000 pps , bc 32 packets
module 1 :
transmitted 25 packets;
dropped 0 packets;
class-map copp-system-p-class-l3uc-data (match-any)
match exception glean
set cos 1
police cir 250 pps , bc 32 packets
module 1 :
transmitted 12368812 packets;
dropped 30784 packets;
class-map copp-system-p-class-normal (match-any)
match access-group name copp-system-p-acl-mac-dot1x
match protocol arp
set cos 1
police cir 1500 pps , bc 32 packets
module 1 :
transmitted 8707765 packets;
dropped 15973 packets;
class-map copp-system-p-class-normal-dhcp (match-any)
match access-group name copp-system-p-acl-dhcp
match access-group name copp-system-p-acl-dhcp6
set cos 1
police cir 300 pps , bc 32 packets
module 1 :
transmitted 1385734 packets;
dropped 9162 packets;
class-map copp-system-p-class-normal-dhcp-relay-response (match-any)
match access-group name copp-system-p-acl-dhcp-relay-response
match access-group name copp-system-p-acl-dhcp6-relay-response
set cos 1
police cir 400 pps , bc 64 packets
module 1 :
transmitted 62553130 packets;
dropped 131507381 packets;
class-map copp-system-p-class-normal-igmp (match-any)
match access-group name copp-system-p-acl-igmp
set cos 3
police cir 6000 pps , bc 64 packets
module 1 :
transmitted 535823 packets;
dropped 0 packets;
class-map copp-system-p-class-redirect (match-any)
set cos 1
police cir 150 pps , bc 32 packets
module 1 :
transmitted 0 packets;
dropped 0 packets;
class-map copp-system-p-class-exception (match-any)
match exception ip option
match exception ip icmp unreachable
match exception ipv6 option
match exception ipv6 icmp unreachable
set cos 1
police cir 50 pps , bc 32 packets
module 1 :
transmitted 0 packets;
dropped 0 packets;
class-map copp-system-p-class-exception-diag (match-any)
match exception ttl-failure
match exception mtu-failure
set cos 1
police cir 50 pps , bc 32 packets
module 1 :
transmitted 3618636 packets;
dropped 1377 packets;
class-map copp-system-p-class-monitoring (match-any)
match access-group name copp-system-p-acl-icmp
match access-group name copp-system-p-acl-icmp6
match access-group name copp-system-p-acl-traceroute
set cos 1
police cir 75 pps , bc 128 packets
module 1 :
transmitted 204397 packets;
dropped 511 packets;
class-map copp-system-p-class-l2-unpoliced (match-any)
match access-group name copp-system-p-acl-mac-stp
match access-group name copp-system-p-acl-mac-lacp
match access-group name copp-system-p-acl-mac-cfsoe
match access-group name copp-system-p-acl-mac-sdp-srp
match access-group name copp-system-p-acl-mac-l2-tunnel
match access-group name copp-system-p-acl-mac-cdp-udld-vtp
set cos 7
police cir 20000 pps , bc 8192 packets
module 1 :
transmitted 70997044 packets;
dropped 0 packets;
class-map copp-system-p-class-undesirable (match-any)
match access-group name copp-system-p-acl-undesirable
match exception multicast sg-rpf-failure
set cos 0
police cir 15 pps , bc 32 packets
module 1 :
transmitted 401 packets;
dropped 0 packets;
class-map copp-system-p-class-l2-default (match-any)
match access-group name copp-system-p-acl-mac-undesirable
set cos 0
police cir 50 pps , bc 32 packets
module 1 :
transmitted 1898871 packets;
dropped 45046 packets;
class-map class-default (match-any)
set cos 0
police cir 50 pps , bc 32 packets
module 1 :
transmitted 8317815 packets;
dropped 83887787 packets;
02-03-2015 11:14 PM
Hi!
It interested for me too!
05-12-2020 07:14 PM
Hi Alain,
Did you ever get a response to your query ?
What does the Class-Map "l3uc-data" shown below mean:
Service-policy input: copp-system-p-policy-strict
class-map copp-system-p-class-l3uc-data (match-any)
match exception glean
set cos 1
police cir 250 pps , bc 32 packets
module 1 :
transmitted 1191347217 packets;
dropped 70762594831 packets;
05-12-2020 11:55 PM
Hi @Phuc Le7
That is gleaned l3 unicast data. You have traffic which is destined to unknown destination.
You can use ethanalyzer to see what traffic is actually hitting your CPU:
ethanalyzer local interface inband limit-captured-frames 0
use ctrl+c to stop the capture.
Also, you can use "hardware ip glean throttle" to throttle the gleaned traffic.
Stay safe
Sergiu
05-17-2020 07:16 PM
Hi Sergiu,
That's great. Thanks a lot.
Regards
Phuc Le
04-06-2023 08:05 AM
Run the setup macro again and set the copp policy to lenient.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide