[c-nsp] CoPP on 7600s

Thu Nov 26 11:51:39 EST 2015

Hi All,

Thanks for all the valuable input!

I wrote up a CoPPs policy, and deployed it in a non-limiting fasion
and monitored for a while. Once happy we enabled the policers and its
working fine, however the software counters are going up, and it's not
clear to me why that is.

Further down is the config, immediately below is partial the output
from an example 7600 (as the CoPPs policy is quite long):

abr1#show policy-map control-plane input
 Control Plane

  Service-policy input: Control-Plane-Filter-In

  Hardware Counters:

    class-map: CoPP-Limit-and-Permit-Critical (match-any)
      Match: access-group name CoPP-Limit-and-Permit-BGP
      Match: access-group name CoPP-Limit-and-Permit-BGPv6
      Match: access-group name CoPP-Limit-and-Permit-RSVP
      Match: access-group name CoPP-Limit-and-Permit-LDP
      Match: access-group name CoPP-Limit-and-Permit-OSPF
      Match: access-group name CoPP-Limit-and-Permit-OSPFv3
      Match: access-group name CoPP-Limit-and-Permit-HSRP
      Match: access-group name CoPP-Limit-and-Permit-BFD
      police :
        10000000 bps 312000 limit 312000 extended limit
      Earl in slot 6 :
        631028621 bytes
        5 minute offered rate 86968 bps
        aggregate-forwarded 631028621 bytes action: transmit
        exceeded 0 bytes action: transmit
        aggregate-forward 79648 bps exceed 0 bps

  Software Counters:

    Class-map: CoPP-Limit-and-Permit-Critical (match-any)
      4646556 packets, 411683229 bytes
      5 minute offered rate 54000 bps, drop rate 0000 bps
      Match: access-group name CoPP-Limit-and-Permit-BGP
        4035626 packets, 367873184 bytes
        5 minute rate 48000 bps
      Match: access-group name CoPP-Limit-and-Permit-BGPv6
        2101 packets, 174550 bytes
        5 minute rate 0 bps
      Match: access-group name CoPP-Limit-and-Permit-RSVP
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: access-group name CoPP-Limit-and-Permit-LDP
        173745 packets, 13108073 bytes
        5 minute rate 1000 bps
      Match: access-group name CoPP-Limit-and-Permit-OSPF
        77045 packets, 8382206 bytes
        5 minute rate 1000 bps
      Match: access-group name CoPP-Limit-and-Permit-OSPFv3
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: access-group name CoPP-Limit-and-Permit-HSRP
        358039 packets, 22145216 bytes
        5 minute rate 2000 bps
      Match: access-group name CoPP-Limit-and-Permit-BFD
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 10000000 bps, bc 312500 bytes, be 312500 bytes
        conformed 4646556 packets, 411683229 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          transmit
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 54000 bps, exceeded 0000 bps, violated 0000 bps

I'm not sure why traffic like BGP would match into both the hardware
and software policiers, when its such a simple match statement (I am
assuming that because the packet count under the software counters is
much lower than the ACL match, so the rest were policied by
hardware?):

abr1#show access-lists CoPP-Limit-and-Permit-BGP
Extended IP access list CoPP-Limit-and-Permit-BGP
    10 permit tcp any eq bgp any (271268749 matches)
    20 permit tcp any any eq bgp (265404502 matches)

Can anyony explain this? And what one can do to stop this?

This isn't causing any major issue, CPU usage averages 14% however I
don't see much point on software based CoPP, seems like an oxymoron to
me.

Cheers,
James.

abr1#show run | s policy-map Control-Plane-Filter-In
policy-map Control-Plane-Filter-In
 class CoPP-Limit-and-Permit-Critical
  police cir 10000000 bc 312500 be 312500
   conform-action transmit
   exceed-action transmit
   violate-action drop

abr1#show run | s class-map match-any CoPP-Limit-and-Permit-Critical
class-map match-any CoPP-Limit-and-Permit-Critical
 match access-group name CoPP-Limit-and-Permit-BGP
 match access-group name CoPP-Limit-and-Permit-BGPv6
 match access-group name CoPP-Limit-and-Permit-RSVP
 match access-group name CoPP-Limit-and-Permit-LDP
 match access-group name CoPP-Limit-and-Permit-OSPF
 match access-group name CoPP-Limit-and-Permit-OSPFv3
 match access-group name CoPP-Limit-and-Permit-HSRP
 match access-group name CoPP-Limit-and-Permit-BFD

abr1#show access-lists CoPP-Limit-and-Permit-BGP
Extended IP access list CoPP-Limit-and-Permit-BGP
    10 permit tcp any eq bgp any (271268749 matches)
    20 permit tcp any any eq bgp (265404502 matches)

abr1#show access-list CoPP-Limit-and-Permit-BGPv6
IPv6 access list CoPP-Limit-and-Permit-BGPv6
    permit tcp any  eq bgp any (289479 matches) sequence 10
    permit tcp any any  eq bgp (3 matches) sequence 20

abr1#show access-list CoPP-Limit-and-Permit-RSVP
Extended IP access list CoPP-Limit-and-Permit-RSVP
    10 permit 46 any any (16834 matches)

abr1#show access-list CoPP-Limit-and-Permit-LDP
Extended IP access list CoPP-Limit-and-Permit-LDP
    10 permit tcp any any eq 646 (319014 matches)
    20 permit tcp any eq 646 any (2210932 matches)
    30 permit udp any any eq 646 (21460077 matches)
    40 permit udp any eq 646 any (230 matches)

abr1#show access-list CoPP-Limit-and-Permit-OSPF
Extended IP access list CoPP-Limit-and-Permit-OSPF
    10 permit ospf any any (10542225 matches)

abr1#show access-list CoPP-Limit-and-Permit-OSPFv3
IPv6 access list CoPP-Limit-and-Permit-OSPFv3
    permit 89 any any sequence 10

abr1#show access-list CoPP-Limit-and-Permit-HSRP
Extended IP access list CoPP-Limit-and-Permit-HSRP
    10 permit udp host 224.0.0.2 eq 1985 any
    20 permit udp any host 224.0.0.2 eq 1985 (48840573 matches)
    30 permit udp host 224.0.0.102 eq 1985 any
    40 permit udp any host 224.0.0.102 eq 1985

abr1#show access-list CoPP-Limit-and-Permit-BFD
Extended IP access list CoPP-Limit-and-Permit-BFD
    10 permit udp any any eq 3784 (17 matches)
    20 permit udp any eq 3784 any (43 matches)