[c-nsp] sup720 CoPP/ratelimiters

[Ryan O'Connell]

On 30/01/2006 09:02, Ian Dickinson wrote:
> I'm just embarking on some testing of control-plane policing and
> hardware rate-limiters on 7600 (with sup720-3bxl and 67xx modules
> with dfc3bxl).  I've deployed parts of this before with some
> success and I'm looking to tighten things up a level.  Target
> application is mostly BGP edge functionality.
>
> Does anyone have any war stories or best practice they'd be
> willing to share please?  I'm quite certain that I'm bound to
> have missed something along the way.
>   

Three things that have bitten me with CoPP and variations thereof over
the last few years:
1) Not rebooting the router after installing it, then finding you're
stopping OSPF from coming up by dropping it totally. (This was with
Control Plane ACLs on a 12k, rather than policing) Moral of this story:
Always do a full reboot to check it all works.
2) tftp servers (The Debian one does this) that switch to a port other
than the default after the initial packet, making it cripplingly slow to
upgrade software when it hits your default class
3) There are some documentation errors on the examples given for the
7600, unless they've been corrected. (Every class must have a police
entry or it's ignored - you can't leave the police entry blank to allow
unlimited traffic as the examples suggest)
4) IPv6 support *seems* to be undocumented (The examples page didn't
give any IPv6 ACLs anyway) but is policed anyway, which might cause you
problems if you're passing production IPv6 traffic and have IPv6
peerings. I've not looked at this one for a while, mostly due to lack of
time for lab testing.