[c-nsp] cat6000 control plane policing
Phil Rosenthal
pr at isprime.com
Tue Mar 15 13:53:13 EST 2005
Hi,
On Mar 15, 2005, at 11:33 AM, lee.e.rian at census.gov wrote:
> Is anyone using control plane policing on a cat6000? I'm looking for
> feedback on how good/bad it works as well as feedback in general on
> 12.2
> (18)SXD3
>
Unfortunately there isn't too clear of documentation from cisco on how
this works, John Kristoff is maintaining a page that has some
information that should help to get you started here:
http://aharp.ittns.northwestern.edu/papers/copp.html
The information is mostly correct, except for a typo about enabling
CoPP, which should read:
mls qos
control-plane
service-policy input control-plane-in
It works pretty good, save for one bug that effects us:
CSCsa50515: TTL=1 unicast may be dropped when mix TTL failure
rate-limit and CoPP -
How this effects us in practice:
If you have a default-deny firewall rule, which say for example, blocks
all udp towards the MSFC with an unknown source, your cisco will stop
responding to traceroutes going THROUGH it. The workaround is to allow
udp in the unix traceroute range like this:
access-list 151 permit udp any any range 33434 33523
As well as allowing ICMP (for windows traceroute).
Keep in mind that tcptraceroute will still break, but there isn't much
of a graceful way to have a default-deny and allow this to work with
the bug.
This is scheduled to be fixed in 12.2(18)SXE
You may also note that if you have dfc's, the rate limit is per-dfc, so
if you rate limit a flow to 100kbit, and you have an attack coming in
from 5 dfc's, 500kbit will come through.
If you have any specific questions, feel free to ask.
--Phil Rosenthal
ISPrime, Inc.
More information about the cisco-nsp
mailing list