[c-nsp] sup720 CoPP/ratelimiters
Saku Ytti
saku+cisco-nsp at ytti.fi
Mon Jan 30 05:47:10 EST 2006
On (2006-01-30 09:02 +0000), Ian Dickinson wrote:
> I'm just embarking on some testing of control-plane policing and
> hardware rate-limiters on 7600 (with sup720-3bxl and 67xx modules
> with dfc3bxl). I've deployed parts of this before with some
> success and I'm looking to tighten things up a level. Target
> application is mostly BGP edge functionality.
>
> Does anyone have any war stories or best practice they'd be
> willing to share please? I'm quite certain that I'm bound to
> have missed something along the way.
My main pains about CoPP:
1) no ARP (7600), CLNS matches supported
-you can't CAR non matching traffic to 0bps, you'd kill your IS-IS
2) does not accept ACL that have log statement (by just ignoring the log)
-you can't reuse your MGMT/NTP/SNMP ACL's in CoPP, but need to create
duplicate ACL's without log statement
3) class-map 'match-all' is not supported from what I can tell. Makes
it quite hard to have lean and mean configuration.
match ip access-list MGMT
match ip access-list MGMT_PROTOCOLS
or:
match ip access-list CORE_LINKS
match ip access-list LDP
or:
now you just need to have single ACL's which has both addresses and
protocols in one go
This is one area where CSCO has lot to learn from JNPR. I hope IOS-XR
has bit more flexible way of doing CoPP.
--
++ytti
More information about the cisco-nsp
mailing list