Solved: Re: C9300 - CoPP - Class map for SSH in system-cpp-policy

Endy00000 · ‎04-30-2024

Hello,

I'm not sure why SSH is still being passed to the control plane. We have some automation issues we're trying to work out, but i'm trying to incorporate a temporary solution.

The goal here is to limit the amount of SSH traffic. It appears that SSH traffic is causing the CPU to spike to 80-100% quite frequently even with the following CoPP provisioning in place.

What could i have missed? Why does the policy map not show SSH conformed traffic?

Model: C9300-48U
Version: 17.09.03

## show ip access-lists SSH-ACL
Extended IP access list SSH-ACL
10 permit tcp any any eq 22
20 permit tcp any eq 22 any established

## show class-map SSH-Class
Class Map match-any SSH-Class (id 24)
Match access-group name SSH-ACL

## show policy-map control-plane input
Control Plane
Service-policy input: system-cpp-policy

Class-map: SSH-Class (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name SSH-ACL
police:
rate 500 pps, burst 122 packets
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

# Here is just a quick snapshot
# show processes cpu sorted | exclude 0.00
CPU utilization for five seconds: 62%/3%; one minute: 26%; five minutes: 15%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
617 8285 9170 903 85.59% 8.79% 2.48% 2 SSH Process

#show processes cpu history

88888333335555599999777774444411111 11111
553333388888444444444477777444446666666666777777777722222555
100
90 *****
80 ***** **********
70 ***** **********
60 ***** **********
50 ***** ***************
40 ******************************
30 ******************************
20 ***********************************
10 **********************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)

1
9 3 311509 3 1 2599 31 3 3699123 31 919
485597576601103766560836955689075586676781980965690765575899
100 * ** ** *
90 * ** ** ** *
80 * ** ** ** *
70 * ** ** ** *
60 * ** *** *** *
50 * *** *** *** *
40 # * * *#* * *** * * ***# * * *
30 # * * *#* * *## * * **## ** * #
20 # * * ### * **## * * **## ** * #
10 #***#***##*####**#****####**##****#*****####*##**#*******#
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%

1 1 1
0999111493191181189811111199111403101191311111111191 11383191 81 1111111
045801047608100009490000119601200510003081111111119090067005096090001001
100 * ** * * ** * * * *
90 **** * * *** ** * * * * * * *
80 **** * * * *** ** * * * * * * *
70 **** * * * *** ** * * * * * * *
60 **** * * * *** ** * * * * * * *
50 **** * * * *** ** * * * * * * *
40 **** *** * * *** ** *** * * * * ** * *
30 **** *** * * *** ** *** * * * * *** * *
20 **** *** * * *** ** *** * * * * *** * *
10 #*##*************##*******##******************************************
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%

MHM Cisco World · ‎04-30-2024

20 permit tcp any eq 22 any established <<- no need establised this is not direction ACL that need ACL to work from one direction
remove the established and check again

MHM

View solution in original post

balaji.bandi · ‎04-30-2024

what IOS XE Code running ? try to upgrade to 17.3.6 or above.

i used below for testing : i can see SSH traffic hitting the ALC and i can see the effective :

Step 1 : Access list

ip access-list extended SSH
permit tcp any any eq 22

Step 2 : Class Map

class-map match-all CM-SSH
match access-group name SSH

Step 3 : Policy Map

policy-map PM-COPP
class CM-SSH
police 50000 conform-action transmit exceed-action transmit
class class-default
police 12000 conform-action transmit exceed-action transmit

Step 4: Apply the CoPP policy

control-plane
service-policy input PM-COPP

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎04-30-2024

Hello,

odd. Can you try if the below works ?

class-map match-any SSH_TRAFFIC
match protocol ssh
!
policy-map SYSTEM-CPP-POLICY
!
class SSH_TRAFFIC
police 8000 1500 3000 conform-action transmit exceed-action drop
!
control-plane
service-policy input SYSTEM-CPP-POLICY

Endy00000 · ‎04-30-2024

Hey Georg,

Yeah, it is a bit odd. I attempted your suggestion.

for some reason, the class map will not associate to the policy map. I'm not sure why.

MHM Cisco World · ‎04-30-2024

sorry I see it Now.

MHM

MHM Cisco World · ‎04-30-2024

20 permit tcp any eq 22 any established <<- no need establised this is not direction ACL that need ACL to work from one direction
remove the established and check again

MHM

Endy00000 · ‎04-30-2024

Its working now!

I may need to fine tune the exceed traffic.

Class-map: SSH-Class (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name SSH-ACL
police:
rate 8000 bps, burst 1500 bytes
conformed 86622 bytes; actions:
transmit
exceeded 87238 bytes; actions:
drop
conformed 7000 bps, exceeded 8000 bps

MHM Cisco World · ‎04-30-2024

You are welcome

But can I ask something

This SSH is high when you try access SW or when SW use SSH for some service ?

Thanks

MHM

Endy00000 · ‎04-30-2024

SSH traffic is caused by DNAC. We dont quite know why DNAC is creating multiple SSH connections and running a sync so much. Could be bug related.