[c-nsp] CoPP Hardware Counters on RSP720/7600

Sebastian Wiesinger cisco-nsp at tracker.fire-world.de
Sat Sep 20 11:05:16 EDT 2008


Hello,

I'm implementing a control plane policy for a 7600/RSP720 box. In this
policy I have a class-map which matches icmp packets and polices them.
That works fine, when I flood-ping the box there are icmp packets lost
when the policer drops packets. The only thing that bothers me is that
the hardware counters do not count up, only the software counters
display an accurate packet count. The box is running 12.2SRC

Is there a way to be sure that the packets are policed/dropped in
hardware?

These are the counters from "show policy-map control-plane input":

  Hardware Counters:



    class-map: copp-monitoring (match-any)

      Match: access-group name copp-monitoring

      police :

        248000 bps 45000 limit 45000 extended limit

      Earl in slot 5 :

        562294 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 562294 bytes action: transmit

        exceeded 0 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps



  Software Counters:



    Class-map: copp-monitoring (match-any)

      217841 packets, 17517388 bytes

      5 minute offered rate 1000 bps, drop rate 0 bps

      Match: access-group name copp-monitoring

        217841 packets, 17517388 bytes

        5 minute rate 1000 bps

      police:

          cir 250000 bps, bc 45000 bytes, be 45000 bytes

        conformed 215999 packets, 17336692 bytes; actions:

          transmit

        exceeded 459 packets, 44982 bytes; actions:

          drop

        violated 1395 packets, 136650 bytes; actions:

          drop

        conformed 1000 bps, exceed 0 bps, violate 0 bps



#sh class-map copp-monitoring

 Class Map match-any copp-monitoring (id 3)
   Match access-group name copp-monitoring

#sh access-lists copp-monitoring
Extended IP access list copp-monitoring
    10 permit icmp any any ttl-exceeded (1 match)
    20 permit icmp any any port-unreachable (2 matches)
    30 permit icmp any any echo-reply (78 matches)
    40 permit icmp any any echo (310459 matches)

#sh mls qos ip
 QoS Summary [IPv4]:      (* - shared aggregates, Mod - switch module)

      Int Mod Dir  Class-map DSCP  Agg  Trust Fl   AgForward-By   AgPoliced-By
                                   Id         Id
-------------------------------------------------------------------------------
       CPP  5  In copp-manag    0    0*    No  0            n/a            n/a
       CPP  5  In   copp-bgp    0    0*    No  0            n/a            n/a
       CPP  5  In  copp-ospf    0    0*    No  0            n/a            n/a
       CPP  5  In copp-crit-    0    0*    No  0            n/a            n/a
       CPP  5  In copp-tunne    0    0*    No  0            n/a            n/a
       CPP  5  In copp-monit    0    1   dscp  0         566066              0
       CPP  5  In class-defa    0    2   dscp  0      122496813              0

       All  5   -    Default    0    0*    No  0    69655086564              0

Regards,

Sebastian

-- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant


More information about the cisco-nsp mailing list