[c-nsp] Sup720 CoPP, limits on CPU performance
Anton Kapela
tkapela at gmail.com
Thu Mar 25 08:47:17 EDT 2010
On Mar 25, 2010, at 3:59 AM, Gert Doering wrote:
> so this is something that needs to work on customer-facing interfaces, with
> some amount of rate-limiting ("customer can ping with 100 kbit/s, but no
> more"). One interesting side-effect currently is that if customer "A"
> fills the ICMP-ping-untrusted CoPP limit, customer "B" starts complaining
> because they see ping packets to their interface get dropped...
+1 - to the suggestion/implication that this *should* be parallelized, becoming more of a per-interface (svi, subint, port, port-channel subint, pos, pos-channel, (gre, te) tunnel, etc) rate-limiter versus a global, single-bucket rate-limiter. Perhaps the microflow policing concept (or something like it) could be repurposed here.
>> If that's what you want..wanna help me push for it? ;)
>
> If we can refine that a bit more, happy to do so.
An auto-built /32 ACL + individual policer per-receive adj address should suffice, speaking in terms of 'implementation' on the box.
-Tk
More information about the cisco-nsp
mailing list