Rate limits can prevent redirected packets for exceptions from overwhelming the supervisor module on a Cisco NX-OS device.

You can configure rate limits for the following types of redirected packets:

• Access-list log packets

• Bidirectional Forwarding Detection (BFD) packets

• Catch-all exception traffic

• Fabric Extender (FEX) traffic

• Layer 3 glean packets

• Layer 3 multicast data packets

• SPAN egress traffic

For Cisco Nexus 9200, 9332C, 9364C, 9300-EX, 9300-FX/FXP/FX2/FX3, and 9300-GX platform switches and Cisco Nexus 9500 platform switches with -EX/FX line cards, the CoPP policer rate is kilo bits per second. For other Cisco Nexus 9000 Series switches, the CoPP policer rate is in packets per second; However, it is kilo bits per second for SPAN egress traffic.

Rate limits has the following configuration guidelines and limitations:

• You can set rate limits for supervisor-bound exception and redirected traffic. Use control plane policing (CoPP) for other types of supervisor-bound traffic.

  Note

  Hardware rate-limiters protect the supervisor CPU from excessive inbound traffic. The traffic rate allowed by the hardware rate-limiters is configured globally and applied to each individual I/O module. The resulting allowed rate depends on the number of I/O modules in the system. CoPP provides more granular supervisor CPU protection by utilizing the modular quality-of-service CLI (MQC).

• You can configure a hardware rate-limiter to show statistics for outbound traffic on SPAN egress ports. This rate-limiter is supported on all Cisco Nexus 9000, 9300, and 9500 Series switches, and the Cisco Nexus 3164Q, 31128PQ, 3232C, and 3264Q switches.

• The rate-limiter on egress ports is limited per pipe on the Cisco Nexus 9300 and 9500 Series switches, Cisco Nexus 3164Q, 31128PQ, Cisco Nexus 3232C, and 3264Q switches. The rate-limiter on egress ports is limited per slice on the Cisco Nexus 9200 and 9300-EX Series switches.

• Cisco Nexus 9300 and 9500 Series switches, Cisco Nexus 3164Q, Cisco Nexus 31128PQ, Cisco Nexus 3232C, and Cisco Nexus 3264Q switches support both local and ERSPAN. However, the rate-limiter only applies to ERSPAN. You must configure e-racl ACL TCAM region to enable the rate-limiter on these switches. For more information, see the Configuring ACL TCAM Region Sizes section in the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.

• For Cisco Nexus 9200 and 9300-EX Series switches and the N9K-X9736C-EX, N9K-97160YC-EX, N9K-X9732C-EX, N9K-X9732C-EXM line cards, the SPAN egress rate-limiter applies to both ERSPAN and local SPAN. You do not require special TCAM carving to use the rate-limiter on these devices.

• For Cisco Nexus 92160YC-X, 92304QC, 9272Q, 9232C, 92300YC, 9348GC-FXP, 93108TC-FX, 93180YC-FX Series switches and Cisco Nexus 3232C and Cisco Nexus 3264Q switches, you should not configure both, sFlow and ERSPAN.

• Logging rate-limit is enabled by default. No default configuration is shown up in show running-config and in show running-config all. Use show logging cli to check if rate-limit is enabled. It has a dedicated field to verify if rate-limit is enabled or disabled.

  Once no logging rate-limit config is applied, it appears in the running-config and displayed in show logging output.

• The rate-limit cpu direction {input | output | both} pps packets action log command is not supported on Cisco Nexus 9000 Series switches.

Note	If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

This table lists the default settings for rate limits parameters.

To display the rate limit configuration information, perform the following tasks:

The following example shows how to configure rate limits for packets copied to the supervisor module for access list logging:

switch(config)#	hardware rate-limiter access-list-log 
switch(config)# show hardware rate-limiter access-list-log
Units for Config: kilo bits per second
Allowed, Dropped & Total: aggregated since last clear counters


Module: 4
  R-L Class           Config           Allowed         Dropped            Total
 +------------------+--------+---------------+---------------+-----------------
+
  access-list-log         100               0               0                 0

  Port group with configuration same as default configuration
      Eth4/1-36

Module: 22
  R-L Class           Config           Allowed         Dropped            Total
 +------------------+--------+---------------+---------------+-----------------
+
  access-list-log         100               0               0                 0

  Port group with configuration same as default configuration
      Eth22/1-0

The following example shows how the SPAN egress rate limiter might be in conflict with sFlow:

switch(config)#	hardware rate-limiter span-egress 123
Warning: This span-egress rate-limiter might affect functionality of sFlow
switch(config)# show hardware rate-limiter span-egress
Units for Config: kilo bits per second 
Allowed, Dropped & Total: aggregated since Module: 1
R-L Class         Config            Allowed        Dropped           Total
+----------------+----------+--------------+--------------+----------------+
  L3 glean                 100             0              0               0
  L3 mcast loc-grp        3000             0              0               0
  access-list-log          100             0              0               0
  bfd                    10000             0              0               0
  exception                 50             0              0               0
  fex                     3000             0              0               0
  span                      50             0              0               0
  dpss                    6400             0              0               0
  span-egress              123             0              0               0
<<configured