Hi Jeffrey, Currently there's no simple option to show which packets are dropped or see which actual match statement is causing drops. There's an enhancement request filed already for doing SPAN of CoPP drops though.
You can try one of the following options: 1) Create a copy of the default copp policy with 'copp copy profile' command and spread the match statements so you have one per class, then apply the new policy. See the CoPP config guide below. http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter_011001.html 2) Do an ethanalyzer capture to see what packets are arriving to the CPU. Although this will not show the dropped packets obviously, it might give you an indication which packets are coming with a high rate, for example if you see high amount of ARP packets, most likely the drops are due to "match protocol arp". http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.html http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps11541/white_paper_c11-673817_ps9670_Products_White_Paper.html Best regards, Andras On Fri, Jan 4, 2013 at 6:19 PM, Jeffrey G. Fitzwater <[email protected]>wrote: > nexus 7k with sup-1 5.2 > > > How can I tell which MATCH statement within a CLASS-MAP is causing CoPP > drops shown in example below? > > > Here are the two I am concerned with. The CoPP stats were cleared 10 min > prior to this output. > > > > > ---------------------- > class-map copp-system-class-normal (match-any) > match access-group name copp-system-acl-dhcp > match access-group name copp-system-acl-mac-dot1x > match redirect dhcp-snoop > match protocol arp > set cos 1 > police cir 680 kbps , bc 250 ms > module 1 : > conformed 4741991 bytes; action: transmit > violated 235956 bytes; action: drop > > > > > class-map copp-system-class-l2-default (match-any) > match access-group name copp-system-acl-mac-undesirable > match protocol mpls > police cir 100 kbps , bc 250 ms > module 1 : > conformed 1038344 bytes; action: transmit > violated 1333130 bytes; action: drop > > ---------------------- > > > > Thanks for any help; > > > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > > > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
