[c-nsp] Need help with IPv6 CoPP

"Rolf Hanßen" nsp at rhanssen.de
Mon May 6 08:49:09 EDT 2013 

Hello list,

I am trying to configure IPv6 CoPP and could use some help with several
issues.

First of all I need to know how to allow/filter OSPFv3 sessions.
I am filtering with those rules (reduced them to the minimum for testing):

---------------------------------------------------------------------
mls ipv6 acl compress address unicast

policy-map policy-copp-in
  class class-copp-ospf
   police cir 50000000 bc 625000 conform-action transmit exceed-action
drop violate-action drop
  class class-copp-icmp
   police cir 50000000 bc 625000 conform-action transmit exceed-action
drop violate-action drop
  class class-copp-any-ip
   police cir 128000 bc 1000 conform-action drop exceed-action drop
violate-action drop

class-map match-any class-copp-ospf
  match access-group name acl-copp-ospf

ipv6 access-list acl-copp-ospf
 permit 89 FE80::/10 any
 permit 89 any FE80::/10 (should be obsoltete)

class-map match-any class-copp-icmp
  match access-group name acl-copp-icmp

ipv6 access-list acl-copp-icmp
 permit icmp any any

class-map match-any class-copp-any-ip
  match access-group name acl-copp-any-ipv6

ipv6 access-list acl-copp-any-ipv6
 permit ipv6 any any log
---------------------------------------------------------------------

If I apply the policy-map after OSPF changes to FULL, it stays in that
status.
If I apply the map and clear OSPF process it flaps the whole time between
EXSTART and DOWN:

%OSPFv3-5-ADJCHG: Process 1, Nbr x.x.x.x on Vlan25 from EXSTART to DOWN,
Neighbor Down: Too many retransmits
%OSPFv3-5-ADJCHG: Process 1, Nbr x.x.x.x on Vlan25 from DOWN to DOWN,
Neighbor Down: Ignore timer expired

If I change class-copp-any-ip to conform-action transmit, it works again
and changes to FULL.
Unfortunatelly none of the packets matched by "permit ipv6 any any log" is
logged.

I found out that a "permit ipv6 FE80::/10 FE80::/10" (not protocol 89,
must be something else) makes it going to full again but that is not very
helpful rule to me.

Can somebody tell me what type of packet does OSPF send or what
additional/replacemnt ACL can be used ?
Can furthermore somebody tell me if there is a way to make that box log
all packets from "log" acl entries and not only random/software
switched/whatever ?



After finding out the above I included the rules to the prior created
entries.
And it did not work anymore.
Plattform is Sup7203B in 6509. In hoped that Sup2T is able to log
more/better or give me a hint what goes wrong and tried out.

There I got that error here:
R2(config-cp)# service-policy input policy-copp-in
QoS: Multiple acl entries cannot be used in match-any in class
class-copp-allowed-important

Is there a way to allow multiple entries or do I need to built a giant
policy-map and a mass of class-maps (one each acl) ?
Is there maybe a way to bypass the class-map and directly configure the
ACLs ?

I then tried to move the "permit ipv6 FE80::/10 FE80::/10" to an own
class-map and it worked (even even though no match of that rule is shown).

Does Sup720 also have some "number of entries" limitations (class-maps
each policy, acls each class, entries each acl, maybe total number of
entries) but just gives no error messages (just does not work/match in
such cases) ? Or is there maybe some bug I hit ?
Both could explain that behaviour imho.

kind regards
Rolf

More information about the cisco-nsp mailing list