Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4068
Views
0
Helpful
5
Replies

Nexus 9396 Control Plane (COPP) policy dropping extreme amount of packets

Alain Desnoyers
Level 1
Level 1

‎02-03-2015 09:49 PM - edited ‎03-07-2019 10:30 PM

Hi

 

         We recently swapped out our 6509 Core Lan switches for a pair of Nexus 9396 and moved all layer 3 to the Nexus. One of the problems we noticed was DHCP relay configured on the Nexus did not appear to be functioning properly as all users in the various vlans that lived on the Nexus would complain of intermittent DHCP issues where they would be unable to obtain an IP address. What we did was move the DHCP relay function back on the original 6509 switches which we kept connected to the Nexus 9K, all the while leaving the actual routing on the N9K for all those vlans. The result was immediate, DHCP worked right away for all the vlans. During investigation we noticed an extremely high rate of dropped packet in the control plane, the default COPP profile for the N9K is set to strict, from looking at the rate, I do not even believe using the lenient COPP profile would help as the drop rate is so high especially for the DHCP relay class and the default class where we  are seeing 10 times the drop rate when compared to the transmit rate. I have pasted the output , of course the class "copp-system-p-class-normal-dhcp-relay-response" counters are no longer incrementing which would make sense since we put the DHCP relay function back on the downstream 6509, before we did that the drops were just incrementing at an alarming rate. So we really suspect this COPP profile was causing the intermittent DHCP problems accross all vlans. Is this kind of drop rate normal, if you look at the default class, it's alarming.  My concern about removing the COPP policy is that high rate of drops would then be put onto the CPU therefore I would imagine the switch CPU would get overwhelmed. Has anyone seen this before? I realize the 9396 is a fairly new platform. We also have a 6K at another site with the default COPP policy and there are no drops although the function of that switch is more of a Data Center Core as opposed this the N9K where we are using more as a standard LANCORE within a type large office user environment.

 

Even as of this writing, the default class packets dropped increased by a million in about 10-15 minutes

 

Thanks

 

 

 

Control Plane

  Service-policy  input: copp-system-p-policy-strict

    class-map copp-system-p-class-critical (match-any)
      match access-group name copp-system-p-acl-bgp
      match access-group name copp-system-p-acl-rip
      match access-group name copp-system-p-acl-vpc
      match access-group name copp-system-p-acl-bgp6
      match access-group name copp-system-p-acl-ospf
      match access-group name copp-system-p-acl-rip6
      match access-group name copp-system-p-acl-eigrp
      match access-group name copp-system-p-acl-ospf6
      match access-group name copp-system-p-acl-eigrp6
      match access-group name copp-system-p-acl-auto-rp
      match access-group name copp-system-p-acl-mac-l2pt
      match access-group name copp-system-p-acl-mac-l3-isis
      set cos 7
      police cir 19000 pps , bc 128 packets
      module 1 :
        transmitted 3398529 packets;
        dropped 0 packets;

    class-map copp-system-p-class-important (match-any)
      match access-group name copp-system-p-acl-glbp
      match access-group name copp-system-p-acl-hsrp
      match access-group name copp-system-p-acl-vrrp
      match access-group name copp-system-p-acl-wccp
      match access-group name copp-system-p-acl-hsrp6
      match access-group name copp-system-p-acl-mac-lldp
      match access-group name copp-system-p-acl-icmp6-msgs
      match access-group name copp-system-p-acl-mac-flow-control
      set cos 6
      police cir 3000 pps , bc 128 packets
      module 1 :
        transmitted 9269082 packets;
        dropped 0 packets;

    class-map copp-system-p-class-multicast-router (match-any)
      match access-group name copp-system-p-acl-pim
      match access-group name copp-system-p-acl-msdp
      match access-group name copp-system-p-acl-pim6
      match access-group name copp-system-p-acl-pim-reg
      match access-group name copp-system-p-acl-pim6-reg
      match access-group name copp-system-p-acl-pim-mdt-join
      set cos 6
      police cir 3000 pps , bc 128 packets
      module 1 :
        transmitted 19951 packets;
        dropped 0 packets;

    class-map copp-system-p-class-management (match-any)
      match access-group name copp-system-p-acl-ftp
      match access-group name copp-system-p-acl-ntp
      match access-group name copp-system-p-acl-ssh
      match access-group name copp-system-p-acl-ntp6
      match access-group name copp-system-p-acl-sftp
      match access-group name copp-system-p-acl-snmp
      match access-group name copp-system-p-acl-ssh6
      match access-group name copp-system-p-acl-tftp
      match access-group name copp-system-p-acl-tftp6
      match access-group name copp-system-p-acl-radius
      match access-group name copp-system-p-acl-tacacs
      match access-group name copp-system-p-acl-telnet
      match access-group name copp-system-p-acl-radius6
      match access-group name copp-system-p-acl-tacacs6
      match access-group name copp-system-p-acl-telnet6
      set cos 2
      police cir 3000 pps , bc 32 packets
      module 1 :
        transmitted 74196415 packets;
        dropped 411817863 packets;

    class-map copp-system-p-class-l3mc-data (match-any)
      match exception multicast rpf-failure
      match exception multicast dest-miss
      set cos 1
      police cir 3000 pps , bc 32 packets
      module 1 :
        transmitted 25 packets;
        dropped 0 packets;

    class-map copp-system-p-class-l3uc-data (match-any)
      match exception glean
      set cos 1
      police cir 250 pps , bc 32 packets
      module 1 :
        transmitted 12368812 packets;
        dropped 30784 packets;

    class-map copp-system-p-class-normal (match-any)
      match access-group name copp-system-p-acl-mac-dot1x
      match protocol arp
      set cos 1
      police cir 1500 pps , bc 32 packets
      module 1 :
        transmitted 8707765 packets;
        dropped 15973 packets;

    class-map copp-system-p-class-normal-dhcp (match-any)
      match access-group name copp-system-p-acl-dhcp
      match access-group name copp-system-p-acl-dhcp6
      set cos 1
      police cir 300 pps , bc 32 packets
      module 1 :
        transmitted 1385734 packets;
        dropped 9162 packets;

    class-map copp-system-p-class-normal-dhcp-relay-response (match-any)
      match access-group name copp-system-p-acl-dhcp-relay-response
      match access-group name copp-system-p-acl-dhcp6-relay-response
      set cos 1
      police cir 400 pps , bc 64 packets
      module 1 :
        transmitted 62553130 packets;
        dropped 131507381 packets;

    class-map copp-system-p-class-normal-igmp (match-any)
      match access-group name copp-system-p-acl-igmp
      set cos 3
      police cir 6000 pps , bc 64 packets
      module 1 :
        transmitted 535823 packets;
        dropped 0 packets;

    class-map copp-system-p-class-redirect (match-any)
      set cos 1
      police cir 150 pps , bc 32 packets
      module 1 :
        transmitted 0 packets;
        dropped 0 packets;

    class-map copp-system-p-class-exception (match-any)
      match exception ip option
      match exception ip icmp unreachable
      match exception ipv6 option
      match exception ipv6 icmp unreachable
      set cos 1
      police cir 50 pps , bc 32 packets
      module 1 :
        transmitted 0 packets;
        dropped 0 packets;

    class-map copp-system-p-class-exception-diag (match-any)
      match exception ttl-failure
      match exception mtu-failure
      set cos 1
      police cir 50 pps , bc 32 packets
      module 1 :
        transmitted 3618636 packets;
        dropped 1377 packets;

    class-map copp-system-p-class-monitoring (match-any)
      match access-group name copp-system-p-acl-icmp
      match access-group name copp-system-p-acl-icmp6
      match access-group name copp-system-p-acl-traceroute
      set cos 1
      police cir 75 pps , bc 128 packets
      module 1 :
        transmitted 204397 packets;
        dropped 511 packets;

    class-map copp-system-p-class-l2-unpoliced (match-any)
      match access-group name copp-system-p-acl-mac-stp
      match access-group name copp-system-p-acl-mac-lacp
      match access-group name copp-system-p-acl-mac-cfsoe
      match access-group name copp-system-p-acl-mac-sdp-srp
      match access-group name copp-system-p-acl-mac-l2-tunnel
      match access-group name copp-system-p-acl-mac-cdp-udld-vtp
      set cos 7
      police cir 20000 pps , bc 8192 packets
      module 1 :
        transmitted 70997044 packets;
        dropped 0 packets;

    class-map copp-system-p-class-undesirable (match-any)
      match access-group name copp-system-p-acl-undesirable
      match exception multicast sg-rpf-failure
      set cos 0
      police cir 15 pps , bc 32 packets
      module 1 :
        transmitted 401 packets;
        dropped 0 packets;

    class-map copp-system-p-class-l2-default (match-any)
      match access-group name copp-system-p-acl-mac-undesirable
      set cos 0
      police cir 50 pps , bc 32 packets
      module 1 :
        transmitted 1898871 packets;
        dropped 45046 packets;

    class-map class-default (match-any)
      set cos 0
      police cir 50 pps , bc 32 packets
      module 1 :
        transmitted 8317815 packets;
        dropped 83887787 packets;

 

 

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Oleg Volkov
Spotlight
Spotlight

‎02-03-2015 11:14 PM

Hi!

It interested for me too!

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Phuc Le7
Level 1
Level 1

‎05-12-2020 07:14 PM

Hi Alain, 

Did you ever get a response to your query ?

 

 

What does the Class-Map "l3uc-data" shown below mean: 

 

Service-policy input: copp-system-p-policy-strict

class-map copp-system-p-class-l3uc-data (match-any)
match exception glean
set cos 1
police cir 250 pps , bc 32 packets
module 1 :
transmitted 1191347217 packets;
dropped 70762594831 packets;

0 Helpful

Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to Phuc Le7

‎05-12-2020 11:55 PM

Hi @Phuc Le7 

That is gleaned l3 unicast data. You have traffic which is destined to unknown destination.

You can use ethanalyzer to see what traffic is actually hitting your CPU:

 ethanalyzer local interface inband limit-captured-frames 0

use ctrl+c to stop the capture.

Also, you can use "hardware ip glean throttle" to throttle the gleaned traffic.

 

Stay safe

Sergiu

0 Helpful

Phuc Le7
Level 1
Level 1
In response to Sergiu.Daniluk

‎05-17-2020 07:16 PM

Hi Sergiu,

 

That's great. Thanks a lot.

 

Regards

Phuc Le

0 Helpful

jason
Level 1
Level 1

‎04-06-2023 08:05 AM

Run the setup macro again and set the copp policy to lenient.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card