Troubleshooting Cisco Nexus 9000 Series NX-OS Troubleshooting Guide, Release 10.4(x) - Packet Flow Issue

Chapter:

Packet Flow Issues Overview

On Cisco Nexus switches, packets might get dropped by either the software or hardware. Two common reasons are:

1. Control Plane Policing (CoPP): Software-switched packets can be dropped if CoPP is limiting traffic.
2. Bandwidth Limitations: Hardware-switched packets might be dropped if they exceed a configured rate limit.

Starting with Cisco NX-OS Release 10.3(1)F, the following commands can help troubleshoot packet drops on Cisco Nexus 9300 and 9500 Cloud Scale switches:

• show hardware internal statistics module-all all – Displays statistics for all active modules.
• show hardware internal statistics module <module-no> all – Displays statistics for a specific active module from the supervisor.

Verifying Packet Drops Due to Rate Limits

1. Command:

show hardware rate-limit module <module-number>

2. Purpose:

This command checks if the hardware is dropping packets due to rate limits.

3. Example Output:

switch(config)# show hardware rate-limit module 1

Units for Config: packets per second
Allowed, Dropped & Total: aggregated since last clear counters

Rate Limiter Class                       Parameters
------------------------------------------------------------
access-list-log                         Config    : 100
                                        Allowed   : 0
                                        Dropped   : 0
                                        Total     : 0

• Config (100 pps): The permitted rate for access-list-log traffic is 100 packets per second.
• Allowed/Dropped/Total: Shows how many packets have been allowed or dropped since the last clear. In this example, no packets have been allowed or dropped.
• Non-zero drops indicate traffic is exceeding a configured rate limit and is being dropped by the hardware.

Verifying Packet Drops Due to CoPP

1. Command:

show policy-map interface control-plane

2. Purpose:

This command checks if CoPP is dropping traffic destined for the control plane (software-switched packets).

3. Example Output:

switch# show policy-map interface control-plane
   class-map copp-system-p-class-exception (match-any)
      match exception ip option
      match exception ip icmp unreachable
      match exception ttl-failure
      match exception ipv6 option
      match exception ipv6 icmp unreachable
      match exception mtu-failure
      set cos 1
      police cir 200 pps , bc 32 packets
      
      module 27 :
        transmitted 0 packets;
        dropped 0 packets;

      module 28 :
        transmitted 0 packets;
        dropped 0 packets;

• class-map copp-system-p-class-exception: Matches specific exception traffic (e.g., TTL failures, ICMP unreachable messages).
• police cir 200 pps: The policing rate is set to 200 packets per second. Exceeding this limit may cause packet drops.
• transmitted/dropped: Shows how many packets were successfully forwarded vs. dropped.
• Non-zero drops indicate that CoPP policing is limiting control-plane traffic.