CCIE DC: Control Plane Policing, speeding up FTP and ensuring ping's are not dropped to your sup engine

Hi Guys

So this is a super quick blog post just because it was something that always bothered me, plus it's a way to show you some Control Plane Policing :).


If you have ever pinged a NX-OS device you have noticed that it drops packets, which can cause you concern if your pinging the device directly (it won't drop them if you are pinging something BEHIND the device, just if your pinging directly to the control plane itself:)


--- 10.150.99.114 ping statistics ---
1000 packets transmitted, 996 packets received, 0.40% packet loss
round-trip min/avg/max = 1.147/2.313/45.684 ms


As you can see above, it's not many, around 4 packets every 1000, but it's annoying enough to bother me.

So I was learning about control plane Policing, your NX-OS Device comes with a bunch of control-plane policing policies by default, you can check them out by issuing show run all

The relevant one's to what I am working on is below:

Here is an ACL that defines the traffic:

ip access-list copp-system-p-acl-icmp
  10 permit icmp any any echo
  20 permit icmp any any echo-reply


Here is a class-map that matches this traffic (along with some other traffic types)



class-map type control-plane match-any copp-system-p-class-monitoring
  match access-group name copp-system-p-acl-icmp
  match access-group name copp-system-p-acl-icmp6
  match access-group name copp-system-p-acl-traceroute


Here is the relevant part of the policy-map that controls this traffic:


policy-map type control-plane copp-system-p-policy-strict

  class copp-system-p-class-monitoring
    set cos 1
    police cir 130 kbps bc 1000 ms conform transmit violate drop


As you can see from the above, ping packets are rate-limited to a lowly 130 kilobits per second, for me this is quite low and I think that ping packets are not always attack vectors, so at this point I could manually modify the existing policy, create a new policy then apply it like so:


control-plane
  service-policy input

!

Or alternatively, use the "copp profile" command to configure one of the preconfigured COPP Profiles


mudcswp02core(config)# copp profile ?
  dense     The Dense   Profile
  lenient   The Lenient Profile
  moderate  The Moderate Profile
  strict    The Strict Profile

 

The COPP profile looks after everything, from things like your BGP traffic, OSPF traffic, all sorts of traffic types to ensure that traffic cannot overload the supervisor engine, so be careful when modifying this COPP Value, but if you see things like ping being dropped or you can't perform certain amounts of traffic over the link (maybe FTP or SSH or secure copy), this is where you can sort it out.

Speaking of which, check out the defaults for FTP:

FTP falls under the following class-map:

class-map type control-plane match-any copp-system-p-class-management
  match access-group name copp-system-p-acl-ftp



Which has the following policy set:


  class copp-system-p-class-management
    set cos 2
    police cir 10000 kbps bc 250 ms conform transmit violate drop 


Which as you can see, is 10 megabits per second, maybe you want your file transfers to the flash of the sup to go faster? modify this value :).






3 comments:

  1. I guess CoPP in NX-OS has varied with the years. I remember the first N7K I saw had all that CoPP stuff at the starting config and it was rather annoying if it was the default. They were running 4.1 I believe.

    In my current N5K running 6.0(2) nothing comes up if I issue a "show run all | i copp". However, I can get into "control-plane" and configure as a "service-policy" any of the predefined CoPP policy maps that I see if I issue "show policy-map type control-plane".

    I'm wondering what Nexus platform and which NX-OS version you used for your tests.

    ReplyDelete
  2. DumpsPass4Sure is the epitome of excellence for 350-501 Exam Syllabus preparation. Their comprehensive material, coupled with a user-friendly interface, set them apart. I sailed through my exam confidently, thanks to the precision and reliability of DumpsPass4Sure 350-501 Practice Test. It's a commendable platform for anyone serious about certification success.

    ReplyDelete

Popular old posts.