CCIE DC: Control Plane Policing, speeding up FTP and ensuring ping's are not dropped to your sup engine

Hi Guys

So this is a super quick blog post just because it was something that always bothered me, plus it's a way to show you some Control Plane Policing :).


If you have ever pinged a NX-OS device you have noticed that it drops packets, which can cause you concern if your pinging the device directly (it won't drop them if you are pinging something BEHIND the device, just if your pinging directly to the control plane itself:)


--- 10.150.99.114 ping statistics ---
1000 packets transmitted, 996 packets received, 0.40% packet loss
round-trip min/avg/max = 1.147/2.313/45.684 ms

As you can see above, it's not many, around 4 packets every 1000, but it's annoying enough to bother me.

So I was learning about control plane Policing, your NX-OS Device comes with a bunch of control-plane policing policies by default, you can check them out by issuing show run all

The relevant one's to what I am working on is below:

Here is an ACL that defines the traffic:

ip access-list copp-system-p-acl-icmp
  10 permit icmp any any echo
  20 permit icmp any any echo-reply

Here is a class-map that matches this traffic (along with some other traffic types)



class-map type control-plane match-any copp-system-p-class-monitoring
  match access-group name copp-system-p-acl-icmp
  match access-group name copp-system-p-acl-icmp6
  match access-group name copp-system-p-acl-traceroute

Here is the relevant part of the policy-map that controls this traffic:


policy-map type control-plane copp-system-p-policy-strict

  class copp-system-p-class-monitoring
    set cos 1
    police cir 130 kbps bc 1000 ms conform transmit violate drop

As you can see from the above, ping packets are rate-limited to a lowly 130 kilobits per second, for me this is quite low and I think that ping packets are not always attack vectors, so at this point I could manually modify the existing policy, create a new policy then apply it like so:


control-plane
  service-policy input
!

Or alternatively, use the "copp profile" command to configure one of the preconfigured COPP Profiles


mudcswp02core(config)# copp profile ?
  dense     The Dense   Profile
  lenient   The Lenient Profile
  moderate  The Moderate Profile
  strict    The Strict Profile

 
The COPP profile looks after everything, from things like your BGP traffic, OSPF traffic, all sorts of traffic types to ensure that traffic cannot overload the supervisor engine, so be careful when modifying this COPP Value, but if you see things like ping being dropped or you can't perform certain amounts of traffic over the link (maybe FTP or SSH or secure copy), this is where you can sort it out.

Speaking of which, check out the defaults for FTP:

FTP falls under the following class-map:

class-map type control-plane match-any copp-system-p-class-management
  match access-group name copp-system-p-acl-ftp


Which has the following policy set:


  class copp-system-p-class-management
    set cos 2
    police cir 10000 kbps bc 250 ms conform transmit violate drop 

Which as you can see, is 10 megabits per second, maybe you want your file transfers to the flash of the sup to go faster? modify this value :).