[c-nsp] CoPP Policy Reco

Kazmi, Zeeshan Zeeshan.Kazmi at pfizer.com
Tue Jan 31 14:15:50 EST 2006 

Hi List,

 

We have been experiencing network drop issues while doing large
transfers between servers, and specifically failures when doing burst
transfers to backup IOS images from our two CORE 6500s.  We have
determined that this is caused by CoPP (Control Plane Policies) for the
TCP drops and UDP MLS Rate Limiters in case of TFTP.  This can also be
easily simulated by doing a "ping x.x.x.x rep 100" to anywhere, which is
being affected by the CoPP-monitoring policy. See example below pinging
between the two cores:

 

CORE2#ping 1.1.1.2 rep 100

 

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:

!!!!!!!!!.!!!!!!!!!.!!!!!!!!!.!!!!!!!!!.!!!!!!!!!.!!!!!!!!!.!!!!!!!!!.

!!!!!!!!!!.!!!!!!!!!.!!!!!!!!!

Success rate is 91 percent (91/100), round-trip min/avg/max = 1/1/28 ms

 

Wondering some one can please help me understand the configuration and
specially the numbers that are set in our switch for CoPP, MLS, and QoS.
And any possible recommendations.  The following sections specifically:

 

 

MLS Section

mls ip multicast flow-stat-timer 9

mls flow ip interface-destination-source

no mls flow ipv6

mls qos map cos-dscp 0 8 16 24 32 46 48 54

mls qos aggregate-policer udp_flow 5000000 2000 2000 conform-action
transmit exceed-action drop

mls qos

mls cef error action freeze

 

CoPP Section

class-map match-all cppclass-monitoring

  match access-group name cppacl-monitoring

class-map match-all cppclass-management

  match access-group name cppacl-management

class-map match-all cppclass-hsrp

  match access-group name cppacl-hsrp

class-map match-all cppclass-default

  match access-group name cppclass-default

class-map match-all udp_class

  match access-group 101

class-map match-all cppclass-undesirable

  match access-group name cppacl-undesirable

class-map match-all cppclass-igp

  match access-group name cppacl-igp

!

!

policy-map cpp-policy

  class cppclass-igp

  class cppclass-hsrp

  class cppclass-management

     police 600000 18750 18750 conform-action transmit exceed-action
drop

  class cppclass-monitoring

     police 32000 1500 1500 conform-action transmit exceed-action drop

  class cppclass-undesirable

     police 32000 1500 1500 conform-action transmit exceed-action drop

  class cppclass-default

     police 128000 4000 4000 conform-action transmit exceed-action drop

policy-map udp_policer

  class udp_class

      police aggregate udp_flow

 

ip access-list extended cppacl-hsrp

 remark HSRP traffic class

 permit udp any host 224.0.0.2

ip access-list extended cppacl-igp

 remark IGP traffic class

 permit eigrp any host 224.0.0.10

 permit eigrp any any

ip access-list extended cppacl-management

 permit tcp 1.0.0.0 0.255.255.255 any eq telnet

 permit tcp 1.0.0.0 0.255.255.255 any eq 22

 permit udp host 192.168.1.1 any eq ntp

 permit udp host 172.16.1.1 any eq ntp

 permit udp 1.1.1.0 0.0.0.255 any eq snmp

ip access-list extended cppacl-monitoring

 permit icmp any any echo-reply

 permit icmp any any echo

ip access-list extended cppacl-undesirable

 remark undesirable class

ip access-list extended cppclass-default

 permit ip any any

 

 

 

Normal Port QoS (what do all the "wrr" numbers mean)

interface GigabitEthernet3/1

 no ip address

 wrr-queue bandwidth 30 70

 wrr-queue queue-limit 40 30

 wrr-queue random-detect min-threshold 1 40 80

 wrr-queue random-detect min-threshold 2 70 80

 wrr-queue random-detect max-threshold 1 80 100

 wrr-queue random-detect max-threshold 2 80 100

 wrr-queue cos-map 1 1 1

 wrr-queue cos-map 1 2 0

 wrr-queue cos-map 2 1 2 3 4

 wrr-queue cos-map 2 2 6 7

 rcv-queue cos-map 1 1 0 1 2 4 6 7

 rcv-queue cos-map 1 2 3 5

 mls qos trust cos

 switchport

 switchport access vlan 100

 switchport mode access

 switchport voice vlan 200

 spanning-tree portfast

 

 

Thank you!

More information about the cisco-nsp mailing list