Guest

Preview Tool

Cisco Bug: CSCvs62003 - In Polaris COPP, ARP traffic should use "system-cpp-police-data"

Last Modified

Jan 24, 2020

Products (1)

  • Cisco IOS

Known Affected Releases

16.9.3

Description (partial)

Symptom:
In the COPP Policy present in Polaris, we have a class specifically for ARP traffic.
Switch#sh platform software qos copp class-info
ACL representable classmap filters are displayed:
class-map match-any system-cpp-police-data
   description ICMP_GEN and BROADCAST
   match access-group name system-cpp-mac-match-police-data
    mac access-list extended system-cpp-mac-match-police-data
      permit any host FFFF.FFFF.FFFF
      permit any any arp arp-reply
      permit any any arp arp-request
                This shows that any Broadcast or ARP packet should go to the "system-cpp-police-data" class.
                However, it always falls in the "system-cpp-police-forus" class :            
                
The ARP Traffic should go to the "system-cpp-police-data" class instead of the "system-cpp-police-forus" class.
This causes issues when there's an ARP poisoning happening, then all control traffic / traffic being punted to the CPU (which takes the "system-cpp-police-forus") will also be dropped.

Conditions:
When there's lot of ARP traffic being sent to the Switch (ARP poisoning).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.