[c-nsp] Sup720 CoPP, limits on CPU performance
Saku Ytti
saku at ytti.fi
Thu Mar 25 14:40:21 EDT 2010
On (2010-03-25 13:42 -0400), Tim Durack wrote:
> But it's fixed, right?
> CSCed75920 says:
> Fixed-In
> 12.2(17d)SXB1
> 12.2(18)SXD
>
> (I really want to police all ip at the end of my CoPP policy, and the
> mls glean rate-limiter appears to allow me to do that.)
I tried to reproduce the issue and failed, so it is fixed for about 6 years
I guess. Also the CoPP profile I described in the first reply to OP I've
been running since 2006 on close to 100 boxes without any changes to the
rules, so it definitely is feasible in real-life network to run such
policy.
Policy was tested against 30Mpps DoS (2x10GE) with numerous different
attack vectors, only attack vectors which did work were IS-IS and IXP
attack. During all other attacks IS-IS, LDP and iBGP stayed up and CLI
responsiveness didn't change, only way to see that attack was going on was
to check counters.
--
++ytti
More information about the cisco-nsp
mailing list