Guest

Preview Tool

Cisco Bug: CSCut14246 - F2/F3: Label mis-programming occurs when ACL / CoPP applied

Last Modified

Feb 11, 2018

Products (8)

  • Cisco Nexus 7000 Series Switches
  • Cisco Nexus 7000 10-Slot Switch
  • Cisco Nexus 7000 4-Slot Switch
  • Cisco Nexus 7700 6-Slot Switch
  • Cisco Nexus 7700 18-Slot Switch
  • Cisco Nexus 7000 18-Slot Switch
  • Cisco Nexus 7700 10-Slot Switch
  • Cisco Nexus 7000 9-Slot Switch

Known Affected Releases

6.2(10)S102 6.2(12)

Description (partial)

Symptom:
Access-list label get mis-programmed in the hardware. As a result following symptoms noticed:
-  After changing CoPP profiles, ports in non-default VDC may no longer have CoPP policy applied. These ports will have no CoPP protection enabled.
- When an access-list is modified and re-applied on a vlan, it may get applied to other/non-related vlans. As a result valid traffic gets dropped.

Conditions:
Issue is applicable to F2x or F3 modules.

In multiple VDC setup where configuration for CoPP profile is changed we can observe no conform or violate counts for policy classes. This is because of label mismatch between CoPP ACL and interface programming.

switch-a# show policy-map interface control-plane module 2 class copp-system-p-class-monitoring
Control Plane
  service-policy input copp-system-p-policy-lenient

    class-map copp-system-p-class-monitoring (match-any)
      match access-group name copp-system-p-acl-icmp
      match access-group name copp-system-p-acl-icmp6
      match access-group name copp-system-p-acl-mpls-oam
      match access-group name copp-system-p-acl-traceroute
      match access-group name copp-system-p-acl-http-response
      match access-group name copp-system-p-acl-smtp-response
      match access-group name copp-system-p-acl-http6-response
      match access-group name copp-system-p-acl-smtp6-response
      set cos 1
      police cir 130 kbps bc 1500 ms 
        conform action: transmit 
        violate action: drop 
      module 2:
        conformed 0 bytes,
          5-min offered rate 0 bytes/sec
          peak rate 0 bytes/sec
        violated 0 bytes,
          5-min violate rate 0 bytes/sec
          peak rate 0 bytes/sec
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.