So this is a super quick blog post just because it was something that always bothered me, plus it's a way to show you some Control Plane Policing :).
If you have ever pinged a NX-OS device you have noticed that it drops packets, which can cause you concern if your pinging the device directly (it won't drop them if you are pinging something BEHIND the device, just if your pinging directly to the control plane itself:)
--- 10.150.99.114 ping statistics ---
1000 packets transmitted, 996 packets received, 0.40% packet loss
round-trip min/avg/max = 1.147/2.313/45.684 ms
As you can see above, it's not many, around 4 packets every 1000, but it's annoying enough to bother me.
So I was learning about control plane Policing, your NX-OS Device comes with a bunch of control-plane policing policies by default, you can check them out by issuing show run all
The relevant one's to what I am working on is below:
Here is an ACL that defines the traffic:
ip access-list copp-system-p-acl-icmp
10 permit icmp any any echo
20 permit icmp any any echo-reply
Here is a class-map that matches this traffic (along with some other traffic types)
class-map type control-plane match-any copp-system-p-class-monitoring
match access-group name copp-system-p-acl-icmp
match access-group name copp-system-p-acl-icmp6
match access-group name copp-system-p-acl-traceroute
Here is the relevant part of the policy-map that controls this traffic:
policy-map type control-plane copp-system-p-policy-strict
set cos 1
police cir 130 kbps bc 1000 ms conform transmit violate drop
As you can see from the above, ping packets are rate-limited to a lowly 130 kilobits per second, for me this is quite low and I think that ping packets are not always attack vectors, so at this point I could manually modify the existing policy, create a new policy then apply it like so:
Or alternatively, use the "copp profile" command to configure one of the preconfigured COPP Profiles
mudcswp02core(config)# copp profile ?
dense The Dense Profile
lenient The Lenient Profile
moderate The Moderate Profile
strict The Strict Profile
The COPP profile looks after everything, from things like your BGP traffic, OSPF traffic, all sorts of traffic types to ensure that traffic cannot overload the supervisor engine, so be careful when modifying this COPP Value, but if you see things like ping being dropped or you can't perform certain amounts of traffic over the link (maybe FTP or SSH or secure copy), this is where you can sort it out.
Speaking of which, check out the defaults for FTP:
FTP falls under the following class-map:
class-map type control-plane match-any copp-system-p-class-management
match access-group name copp-system-p-acl-ftp
Which has the following policy set:
set cos 2
police cir 10000 kbps bc 250 ms conform transmit violate drop
Which as you can see, is 10 megabits per second, maybe you want your file transfers to the flash of the sup to go faster? modify this value :).