Control Plane Policing Configuration
This chapter contains basic information and a sample configuration of CPU queue properties. The device has multiple CPU queues for managing and classifying control traffic and offers rate limiters for control plane protection. Various types of CPU port-bound packets are queued into different CPU queues, each with different properties such as rate, queue limit, monitoring status, and drop status.
Control plane policing (CoPP) manages the traffic flow destined to the host router CPU for control plane processing. CoPP limits the traffic forwarded to the host CPU and avoids impact on system performance.
1. CoPP has organized the handling of control packets by providing per-protocol hardware CPU queues. So, control packets are queued in different CPU queues based on protocol.
2. Per-protocol CPU queue rate limits and buffer allocations are programmed during router initialization, thus, every CPU queue is rate-limited to a default stable and balanced behavior across protocols.
3. When control packets are received at a higher rate than the programmed rate, the excess traffic is dropped at the queue level in the packet processor hardware itself.
4. All CPU queues are pre-programmed with default rate limits and buffer allocations to ensure a default stable and balanced behavior across protocols.
Topology
A network traffic simulator device connects to a router (R1) to generate and send various types of network traffic. The router, which has CoPP configured, manages and limits traffic destined for its CPU using multiple CPU queues with specific properties for different control traffic types. Another traffic simulator device connects to the router to generate or receive traffic, testing the router's CPU queues and CoPP configurations to handle different traffic loads and types.
Simple configuration of CPU Queuing
The CPU queue rates are listed for each protocol queue.
Protocol Queues | Default Rate in packets per second (PPS) | Maximum configurable rate in (PPS) | Description |
|---|---|---|---|
Best-effort | 2113 | 2113 | L3 Known Unicast packet matching the local route (not matching any other rule) . |
IPMC-miss | 2113 | 2113 | IP Multicast Route-DST-Lookup miss packets. |
L3-miss | 211 | 211 | IP L3 Route-DST-Lookup miss packets. |
SFLOW | 32000 | 100000 | SFLOW Sampled Packets |
BGP | 1500 | 1500 | BGP packets with TCP port 179(both Server and Client) |
VRRP | 1024 | 1024 | VRRP ipv4/ipv6 packets: IP protocol number 112 |
LDP-RSVP | 500 | 500 | RSVP and LDP packets RSVP: IP protocol 46 LDP: L4 source/destination port number:646 |
RIP | 500 | 500 | RIP/RIPv1/RIPNG packets : UDP DST port 520/521 |
OSPF | 2000 | 2000 | OSPF packets (IP protocol 89) |
DHCP | 100 | 2048 | DHCP: DHCP ipv4/ipv6 server/client packets UDP source/destination port number:ipv4( 67/68) ipv6(546/547) |
ND | 6000 | 6000 | ICMPv6 packets: IP next header number 58 |
PIM | 4000 | 4000 | Protocol Independent Multicast packets: IP protocol number 103 and DMAC: 01:00:5e:00:00:0D |
ARP | 6000 | 6000 | ARP packets: Ether-type 0x0806 |
IGMP | 4000 | 4000 | Internet Group Management Protocol (IP protocol 2) |
BPDU | 10000 | 10000 | xSTP : DMAC 0180:C200:0000 Provider Bridging : DMAC 0180:C200:0008 LACP : DMAC 0180:C200:0002, ethertype:0x8809, subtype:1/2 DOT1X/AUTHD : DMAC 0180:C200:0003 LLDP : DMAC 0180:C200:000E EFM : DMAC 0180:C200:0002, ethertype:0x8809, subtype:3 ELMI : DMAC 0180:C200:0007 LBD : DMAC 010f:E200:0007, ethertype:0x8918 MCEC IDP : UDP source/destination port 1025 MLAG PDU : DMAC 0180:C200:0000 |
CCM | 1000 | 1000 | UDLD mode : DMAC: 0100.0CCC.CCCC CFM packets : Ether type : 0x8902, DMAC : 0108.c200.0030 G8032 packets : DMAC 0119:A700:00XX |
BFD | 2000 | 2000 | Software-BFD Single hop packets: UDP port 3784, TTL 255 Software-BFD Multi hop packets: UDP port 4784 |
IS-IS | 500 | 1000 | ISIS (DMAC 0180:C200:0014/0015) ESIS (DMAC 0900:2B00:0004/0005) Note: ESIS = End System-to-Intermediate System (ISIS point-to-point case) |
ACL | 200 | 200 | ACL based logging packets |
VXLAN | 500 | 500 | ARP,RARP and ND cache queue for packets coming on VXLAN access ports |
DAIVM | 100 | 500 | Guest VM packets |
Validate the default CPU queue rates by using the command show cpu-queue details.
R1#show cpu-queue details
* - Can not configure the parameter
Cpu queue Rate In PPS Monitor Status Lossy Status
Name Configured Default Max Rate Allowed Configured Default Configured Default
=========== ========== ======= ================ =========== ========== =========== ==========
best-effort - 2113 2113 - * no-monitor - * lossy
ipmc-miss - 2113 2113 - * no-monitor - * lossy
l3-miss - 211 211 - * no-monitor - * lossy
sflow - 32000 100000 - monitor - * lossy
bgp - 1500 1500 - monitor - lossless
vrrp - 1024 1024 - monitor - lossless
rip - 500 500 - monitor - lossless
ospf - 2000 2000 - monitor - lossless
dhcp - 100 2048 - no-monitor - lossy
nd - 6000 6000 - monitor - lossless
pim - 4000 4000 - * no-monitor - * lossy
arp - 6000 6000 - monitor - lossless
igmp - 4000 4000 - * no-monitor - * lossy
bpdu - 10000 10000 - monitor - lossless
ccm - 1000 1000 - no-monitor - lossy
bfd - 2000 2000 - no-monitor - lossy
ptp - 1000 1000 - no-monitor - lossy
isis - 500 1000 - monitor - lossless
trill-isis - 1000 1000 - monitor - lossless
acl - 200 1000 - * no-monitor - * lossy
vxlan - 500 500 - monitor - lossy
daivm - 100 500 - no-monitor - lossy
Note:
• Enable the feature before validating the CPU queue for each protocol.
• The monitor option starts generating operational logs for the number of dropped packets and the percentage.
OcNOS(config)#2021 Nov 16 11:40:24.188 : OcNOS : HSL : CRITI : [CPU_QUEUE_IS_FULL_2]: 967368133 packets dropped at queue bpdu due to queue full. Average CPU queue rate is 99% (499 pkts/sec).
Configuring CPU Queuing Lossless
The CPU queue is configured to prevent packet loss by ensuring all BPDU packets are processed without being dropped.
To ensure no BPDU packets are dropped, configure the BPDU CPU queue with a rate of 600 PPS and set it to lossless with the no-monitor option.
R1#configure terminal
R1(config)#cpu-queue bpdu rate 600 lossless no monitor
R1(config)#exit
Validation
Confirm the configurations with the following commands:
R1#show running-config | in cpu
cpu-queue bpdu rate 600 lossless no-monitor
R2#show cpu-queue details
* - Can not configure the parameter
Cpu queue Rate In PPS Monitor Status Lossy Status
Name Configured Default Max Rate Allowed Configured Default Configured Default
=========== ========== ======= ================ =========== ========== =========== ==========
best-effort - 2113 2113 - * no-monitor - * lossy
ipmc-miss - 2113 2113 - * no-monitor - * lossy
l3-miss - 211 211 - * no-monitor - * lossy
sflow - 32000 100000 - monitor - * lossy
bgp - 1500 1500 - monitor - lossless
vrrp - 1024 1024 - monitor - lossless
rip - 500 500 - monitor - lossless
ospf - 2000 2000 - monitor - lossless
dhcp - 100 2048 - no-monitor - lossy
nd - 6000 6000 - monitor - lossless
pim - 4000 4000 - * no-monitor - lossy
arp - 6000 6000 - monitor - lossless
igmp - 4000 4000 - * no-monitor - * lossy
bpdu 600 10000 10000 no-monitor monitorloss less lossless
ccm - 1000 1000 - no-monitor - lossy
bfd - 2000 2000 - no-monitor - lossy
ptp - 1000 1000 - no-monitor - lossy
isis - 500 1000 - monitor - lossless
trill-isis - 1000 1000 - monitor - lossless
acl - 200 1000 - * no-monitor - * lossy
vxlan - 500 500 - monitor - lossy
daivm - 100 500 - no-monitor - lossy
R1#show interface cpu counters rate kbps
Load interval: 30 second
+-------------------+--------------+-------------+--------------+-------------+
| CPU Queue(%) | Rx kbps | Rx pps | Tx kbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
bpdu ( 99%) - - 38.41 599
R1#show interface cpu counters queue-stats
E - Egress, I - Ingress, Q-Size is in bytes
* indicates monitor is active
+-------------+--------------------+--------+-----------------+-------------------+-----------------+-------------------+
| Interface | Queue/Class-map | Q-Size | Tx pkts | Tx bytes | Dropped pkts | Dropped bytes |
+-------------+--------------------+--------+-----------------+-------------------+-----------------+-------------------+
cpu bpdu (E) 320736 21703 1388992 5363326 343240064
Configuring CPU Queuing Lossy
The CPU queue is configured to allow packet loss if the queue exceeds its processing capacity.
To allow BPDU packets to be dropped, configure the BPDU CPU queue with a rate of 500 PPS and set it to lossy with the no-monitor option.
R1#configure terminal
R1(config)#cpu-queue bpdu rate 500 lossy no monitor
R1(config)#exit
Validation
Confirm the configurations with the following commands:
R1#show running-config | in cpu
cpu-queue bpdu rate 500 lossy no-monitor
R1#show cpu-queue details
* - Can not configure the parameter
Cpu queue Rate In PPS Monitor Status Lossy Status
Name Configured Default Max Rate Allowed Configured Default Configured Default
=========== ========== ======= ================ =========== ========== =========== ==========
best-effort - 2113 2113 - * no-monitor - * lossy
ipmc-miss - 2113 2113 - * no-monitor - * lossy
l3-miss - 211 211 - * no-monitor - * lossy
sflow - 32000 100000 - monitor - * lossy
bgp - 1500 1500 - monitor - lossless
vrrp - 1024 1024 - monitor - lossless
rip - 500 500 - monitor - lossless
ospf - 2000 2000 - monitor - lossless
dhcp - 100 2048 - no-monitor - lossy
nd - 6000 6000 - monitor - lossless
pim - 4000 4000 - * no-monitor - * lossy
arp - 6000 6000 - monitor - lossless
igmp - 4000 4000 - * no-monitor - * lossy
bpdu 500 10000 10000 no-monitor monitor lossy lossless
ccm - 1000 1000 - no-monitor - lossy
bfd - 2000 2000 - no-monitor - lossy
ptp - 1000 1000 - no-monitor - lossy
isis - 500 1000 - monitor - lossless
trill-isis - 1000 1000 - monitor - lossless
acl - 200 1000 - * no-monitor - * lossy
vxlan - 500 500 - monitor - lossy
daivm - 100 500 - no-monitor - lossy
R1#show interface cpu counters queue-stats
E - Egress, I - Ingress, Q-Size is in bytes
* indicates monitor is active
+-------------+--------------------+--------+-----------------+-------------------+-----------------+-------------------+
| Interface | Queue/Class-map | Q-Size | Tx pkts | Tx bytes | Dropped pkts | Dropped bytes |
+-------------+--------------------+--------+-----------------+-------------------+-----------------+-------------------+
cpu nd (E) 0 17 1998 0 0
cpu bpdu (E) 86320 153802 9843328 39667426 2538702464
R1#show interface cpu counters rate kbps
Load interval: 30 second
+-------------------+--------------+-------------+--------------+-------------+
| CPU Queue(%) | Rx kbps | Rx pps | Tx kbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
bpdu ( 99%) - - 31.97 499