[c-nsp] CoPP config examples

Saku Ytti saku+cisco-nsp at ytti.fi
Thu Jun 30 14:01:24 EDT 2005


On (2005-06-29 12:48 -0700), matthew zeier wrote:

> I found this:
> http://aharp.ittns.northwestern.edu/papers/copp.html
> and Cisco's doc:
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a0080211f39.shtml
> So I'm set.

 I didn't find enough answers in these URLs. For example 'protocol clns'
is not supported, at least according to CCO, how am I supposed to prototect
IS-IS?
 How can I differentiate IS-IS packet from any other non-IP packet directly
connected customer could send? Some platforms do not even support 'protocol
arp' so I can't even differentiate between ARP storm and IS-IS packet?
 And even the platforms that can differentiate those two, wouldn't IS-IS
packets still occupy same space as eg. CDP and any other non-IP packet?
 And if I could protect IS-IS, what if IS-IS packet is sent to interface not
running IS-IS, does that packet still reach control-plane and live in same
queue as my expected IS-IS packets? (people with ISO hat on, please
do s/packet/PDU/ thanks)
 I guess best option is to actually smartbits what is protected and what
not, but I expect lot of other people would like to see CCO answer
these question.

 Of course as CoPP is done in GSR in LC CPU (like rACL) (as opposed to 
ASIC) it's impossible to protect network properly without doing iACL/iPolicer,
but CoPP would complement iACL nicely, to allow protection against
attacks inside the AS#, which might be small enough for LC CPU to handle.
 For the record, some platforms, like NSE100 do not even support 'protocol
arp', so quickly it would feel like that any IXP member or customer
misbehaving even by accidently could kill my IGP by overwhelming GRP
with ARP storm. Still CoPP is good start, 

Thanks,
-- 
  ++ytti


More information about the cisco-nsp mailing list