[c-nsp] CoPP
Saku Ytti
saku+cisco-nsp at ytti.fi
Mon Jul 3 01:34:39 EDT 2006
On (2006-07-02 20:58 -0400), Richard A Steenbergen wrote:
> So far the best solution I've come up with is to make my own default class
> which references an acl, and then try every possible combination of packet
> with that ACL to see what makes the counters increment. Is there ANY
> mechanism to just log the damn match so I don't have to go that route? It
> doesn't need to be rate limited or safe for production use, just for
> figuring out if there are any legitimate packets hitting it so I can
> revise CoPP policies.
I believe you're out of luck, 7600 doesn't yet have CoPP logging like
software switching platforms do. Architectually I don't think there
is anything stopping cisco from doing CoPP logging in 7600 too,
so let's see what the future will bring.
> Question #2, how are isis/clns packets handled with regard to CoPP? I
> already tried matching them in a class-map, and it would not apply, but
> I'm wondering if those packets might be making their way to the default
> class. Also, does:
IS-IS is matched by 'class-default'. How I've played this, is
class CoPP-IP to drop everything IP, after that I have class-default
that will permit rest, including IS-IS. Combine that with wise
choise of 'mls rate-limits' and you're pretty safe.
> mls qos protocol ISIS pass-through
>
> Impact the processing of CoPP in any way?
No, I think they can live in same box, but to my understanding, this
will make IS-IS pass in hardware through the box, and should only
be used, if you a) need to pass IS-IS through the box and b) do not
run IS-IS in the box.
On software platforms, such as VXR, I've found that 'match clns' actually
will work, while not supported there either.
--
++ytti
More information about the cisco-nsp
mailing list