Mirror buffer drop packets

This chapter details the mirror buffer drop packets feature, which captures and mirrors packets dropped by a router's Traffic Management (TM) buffer due to overflow, specifically exact or statistical metering. It enables analysis of these dropped packets, offering benefits like data preservation, control plane stability, and failover assurance.

Mirror buffer drop packets

Mirroring buffer drop packets is a network monitoring feature that

  • captures packets dropped by a router due to buffer overflow, and

  • sends these packets to a monitoring system for analysis.

Table 1. Feature History Table

Feature Name

Release Information

Description

Mirroring buffer drop packets

Release 25.2.1

Introduced in this release on: Centralized Systems (8400 [ASIC:K100]) )(select variants only*)

This feature mirrors packets dropped by the Traffic Management (TM) buffer when it is full and starts dropping incoming packets so that the mirrored copy of the dropped packets can be retained and stored.

*This feature is now supported on Cisco 8404-SYS-D routers.

Mirroring buffer drop packets

Release 25.1.1

Introduced in this release on: Fixed Systems ( 8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I

Mirroring buffer drop packets

Release 24.4.1

Introduced in this release on: Fixed Systems(8200, 8700)(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*).

This feature which mirrors packets dropped by the Traffic Management (TM) buffer when it is full and starts dropping incoming packets so that the mirrored copy of the dropped packets can be retained and stored is now supported on the following hardware.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

Mirroring buffer drop packets

Release 24.2.11

The SPAN-to-file and ERSPAN mirroring capability is enhanced to mirror dropped packets by the Traffic Management (TM) buffer when it's full and starts dropping incoming packets. This capability allows you to retain and store a mirrored copy of the dropped packets, and work effectively even during process restarts or network failovers, providing a dependable solution for traffic monitoring.

This feature is supported only on Cisco Silicon One P100- and Q200-based routers.

This feature introduces the following changes:

Packet drop scenarios

Traffic Management (TM) buffer drops typically occur due to network congestion. The TM buffer temporarily stores packets for processing, but if the buffer becomes full, it cannot accommodate additional packets and starts discarding or dropping them. This situation arises when incoming packets arrive faster than the buffer can process them.

With enhanced SPAN to file and ERSPAN mirroring capabilities, the router retains a mirrored copy of these dropped packets for analysis.

This feature covers the following packet drop scenarios:

  • Exact Meter Drops: When the incoming traffic on an interface exceeds the rate enforced by a configured policer, the router drops excess packets. These drops are reported as PACKET_GOT_DROPPED_DUE_TO_EXACT_METER (displayed as TM_EXACT_METER_DROP).

  • Statistical Meter Drops or Mirror Buffer Drop Packets: When traffic is sent at 100% line rate to an ingress interface under a regular SPAN-to-File configuration, the router may drop packets due to statistical metering. These drops are reported as PACKET_GOT_DROPPED_DUE_TO_STATISTICAL_METER (Displayed as TM_STATISTICAL_METER_DROP).

Benefits of mirroring buffer drop packets

These are the benefits of mirroring buffer drop packets:

  • Data Preservation: During process restarts, while new packet logging is paused, all previously collected data remains intact, ensuring no critical diagnostic information is lost.

  • Control Plane Stability: The operation of this feature remains unaffected by restarts of any control plane process, allowing for uninterrupted traffic analysis.

  • Failover Assurance: For interfaces not located on the Route Processor (RP), this feature ensures a seamless failover experience. Traffic mirroring and packet capture proceed without disruption, even amidst hardware changes or network reconfigurations, safeguarding continuous network analysis.

Guidelines for mirroring buffer drop packets

These guidelines apply to mirroring buffer drop packets:

  • SPAN to File Buffer drop is a global configuration, not specific to any interface.

  • Mirroring of buffer drop packets is supported only on the ingress interface.

  • Only the packets dropped by the reasons TM_EXACT_METER_DROP and TM_STATISTICAL_METER_DROP are mirrored.

  • Maximum of one drop session with destination as Span to File and one drop session with destination as ERSPAN can be configured globally per router.

  • From Release 24.2.11, one forward-drop session and one TM buffer drop session are supported for file and GRE tunnel interface destinations.

  • For ERSPAN sessions that monitor buffer drop packets, a default value of 0 is used for the encapsulation traffic class, irrespective of the DSCP value assigned for the tunnel.

  • ERSPAN counters are not updated for buffer drop packets.

Configure buffer drop packets mirroring for SPAN to file

Perform the these steps on the router to configure a global session for mirroring buffer drop packets for SPAN to file destination:

Procedure

Step 1

Configure a traffic mirroring session and specify the destination as file.

Example:


Router(config)# monitor-session S2F_sessnethernet
Router(config-mon)# destination file
Router(config-mon)# exit

Step 2

Attach SPAN to file monitor session to the interface.

Example:

Router(config)# interface HundredGigE0/0/0/0 
Router(config-if)# monitor-session S2F_sessnethernet direction rx-only
Router(config-if-mon)# exit

Step 3

Create a global monitor session for TM drop packets and enable the TM buffer drop feature for SPAN to file destination.

Example:


Router(config)# monitor-session mon1 ethernet
Router(config-mon)# destination file
Router(config-mon)# drops traffic-management rx
Router(config-mon)# commit

Step 4

Configure a policer on the ingress interface and send the traffic at a line rate faster than the policer. The router drops the packets with the reason PACKET_GOT_DROPPED_DUE_TO_EXACT_METER (displayed as TM_EXACT_METER_DROP).

Example:

Router(config)# class-map match-any dscp1
Router(config-cmap)# match dscp ipv4 1
Router(config-cmap)# end-class-map
Router(config)# policy-map test-police-1R2C
Router(config-pmap)# class dscp1
Router(config-pmap-c)# police rate 100 mbps
Router(config-pmap-c-police)# exit
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# police rate 100 mbps
Router(config-pmap-c-police)# exit
Router(config-pmap-c)# end-policy-map
Router(config)# interface HundredGigE0/0/0/0
Router(config-if)# service-policy input test-police-1R2C
Router(config-if)# commit

Step 5

Configure a regular SPAN to file on the ingress interface and send the traffic at 100% line rate. The router drops the packets with the reason PACKET_GOT_DROPPED_DUE_TO_STATISTICAL_METER (Displayed as: TM_STATISTICAL_METER_DROP).

Step 6

Verify the buffer drop packets are mirrored using the show monitor-session status command.

Example:

Router# show controllers npu stats traps-all instance all location 0/RP0/CPU0
Trap Type                                 NPU  Trap  Punt       Punt  Punt  Punt Configured Hardware   Policer Avg-Pkt Packets              Packets
                                          ID   ID    Dest       VoQ   VLAN  TC   Rate(pps)  Rate(pps)  Level   Size    Accepted             Dropped
====================================================================================================================================================================
TM_EXACT_METER_DROP                      0    256  RPLC_CPU    208   1538  0    542          523    NPU     N/A     25              18167604
TM_STATISTICAL_METER_DROP                0    257  RPLC_CPU    208   1538  0    542          523    NPU     N/A     31143           18167604  

Router# show spp node-counters location all | i SPAN
SPAN to File: 55724
SPAN drop: 31168

The Packets Accepted counter of the statistical meter dropped packets and exact meter dropped packets in show controllers npu stats traps-all should match the "SPAN drop" counter in show spp node-counters within an acceptable range. This is because the statistics displayed are not updated in real-time; they refresh every 30 seconds from the hardware.

Configure buffer drop packets mirroring for ERSPAN

Perform these steps on the router to configure a global session for mirroring buffer drop packets for SPAN to file destination:

Procedure

Step 1

Configure the tunnel mode.

Example:


Router(config)# interface tunnel-ip2
Router(config-if)# tunnel mode gre ipv4

Step 2

Configure the tunnel source.

Example:

Router(config-if)# tunnel source 10.10.10.10

Step 3

Configure the tunnel destination.

Example:


Router(config-if)# tunnel destination 192.0.2.1
Router(config-if) exit

Step 4

Configure a traffic mirroring session.

Example:


Router(config)# monitor-session mon2 ethernet

Step 5

Associate a destination interface with the traffic mirroring session.

Example:

Router(config-mon)# destination interface tunnel-ip2

Step 6

Configure the TM buffer drop session and save the changes.

Example:


Router(config-mon)# drops traffic-management rx 
Router(config-mon)# commit

Step 7

Configure a policer on the ingress interface and send the traffic at a line rate faster than the policer. The router drops the packets with the reason PACKET_GOT_DROPPED_DUE_TO_EXACT_METER (displayed as TM_EXACT_METER_DROP).

Example:

Router(config)# class-map match-any dscp1
Router(config-cmap)# match dscp ipv4 1
Router(config-cmap)# end-class-map
Router(config)# policy-map test-police-1R2C
Router(config-pmap)# class dscp1
Router(config-pmap-c)# police rate 100 mbps
Router(config-pmap-c-police)# exit
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# police rate 100 mbps
Router(config-pmap-c-police)# exit
Router(config-pmap-c)# end-policy-map
Router(config)# interface HundredGigE0/0/0/0
Router(config-if)# service-policy input test-police-1R2C
Router(config-if)# commit

Step 8

Configure a regular SPAN to file on the ingress interface and send the traffic at 100% line rate. The router drops the packets with the reason PACKET_GOT_DROPPED_DUE_TO_STATISTICAL_METER (Displayed as: TM_STATISTICAL_METER_DROP).

Step 9

Verify the buffer drop packets are mirrored using the show monitor-session status command.

Example:

Router# show controllers npu stats traps-all instance all location 0/RP0/CPU0
Trap Type                                 NPU  Trap  Punt       Punt  Punt  Punt Configured Hardware   Policer Avg-Pkt Packets              Packets
                                          ID   ID    Dest       VoQ   VLAN  TC   Rate(pps)  Rate(pps)  Level   Size    Accepted             Dropped
====================================================================================================================================================================
TM_EXACT_METER_DROP                      0    256  RPLC_CPU    208   1538  0    542          523    NPU     N/A     25              18167604
TM_STATISTICAL_METER_DROP                0    257  RPLC_CPU    208   1538  0    542          523    NPU     N/A     31143           18167604  

Router# show spp node-counters location all | i SPAN
SPAN to File: 55724
SPAN drop: 31168

The Packets Accepted counter of the statistical meter dropped packets and exact meter dropped packets in show controllers npu stats traps-all should match the SPAN drop counter in show spp node-counters within an acceptable range. This is because the statistics displayed are not updated in real-time; they refresh every 30 seconds from the hardware.