[c-nsp] monitoring dropped CoPP packets ?

Tóth András diosbejgli at gmail.com
Fri Jan 4 20:31:07 EST 2013 

Hi Jeffrey,

Currently there's no simple option to show which packets are dropped or see
which actual match statement is causing drops. There's an enhancement
request filed already for doing SPAN of CoPP drops though.

You can try one of the following options:
1) Create a copy of the default copp policy with 'copp copy profile'
command and spread the match statements so you have one per class, then
apply the new policy. See the CoPP config guide below.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter_011001.html

2) Do an ethanalyzer capture to see what packets are arriving to the CPU.
Although this will not show the dropped packets obviously, it might give
you an indication which packets are coming with a high rate, for example if
you see high amount of ARP packets, most likely the drops are due to "match
protocol arp".

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.html
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps11541/white_paper_c11-673817_ps9670_Products_White_Paper.html

Best regards,
Andras



On Fri, Jan 4, 2013 at 6:19 PM, Jeffrey G. Fitzwater <jfitz at princeton.edu>wrote:

> nexus 7k with sup-1  5.2
>
>
> How can I tell which MATCH statement within a CLASS-MAP is causing CoPP
> drops shown in example below?
>
>
> Here are the two I am concerned with.  The CoPP stats were cleared 10 min
> prior to this output.
>
>
>
>
> ----------------------
> class-map copp-system-class-normal (match-any)
>      match access-group name copp-system-acl-dhcp
>      match access-group name copp-system-acl-mac-dot1x
>      match redirect dhcp-snoop
>      match protocol arp
>      set cos 1
>      police cir 680 kbps , bc 250 ms
>      module 1 :
>        conformed 4741991 bytes; action: transmit
>        violated 235956 bytes; action: drop
>
>
>
>
> class-map copp-system-class-l2-default (match-any)
>      match access-group name copp-system-acl-mac-undesirable
>      match protocol mpls
>      police cir 100 kbps , bc 250 ms
>      module 1 :
>        conformed 1038344 bytes; action: transmit
>        violated 1333130 bytes; action: drop
>
> ----------------------
>
>
>
> Thanks for any help;
>
>
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list