[c-nsp] Control Plane Policing

hjan hjan at libero.it
Thu Jun 1 06:12:12 EDT 2006


Hello,
I have read cisco's doc about cpp and i've also read the good 
documentation written by John Kristoff about cpp
in wich are included some implementation example.
I do some test in our lab environment, a GSR 12410 with IOS 12.0(32)S2 
but i'm not satisfied with the result.

Suppose this sample conf:

access-list 168 permit icmp any loopback0 0.0.0.0
access-list 169 permit any

class-map cp-icmp
match access-group 168
class-map cp-default
match access-group 169

policy-map cp-traffic
class cp-icmp
 police 8000 conform-action transmit exceed-action drop
class cp-default
 priority

control-plane
service-policy input cp-traffic


Then i ping from a host or a router the loopback0 and i noticed that 
only if i set an MTU or packet size > 1500,
in fact 1480 so with the standar ip header is always 1500, the policy 
take effect.
In fact if i issue the sh policy-map control-plane with small packet 
size all traffic seems to be matched
by the cp-default class:

Service-policy input: cp-traffic (225)

   Class-map: cp-icmp (match-all) (4925921/1)
     0 packets, 0 bytes
     5 minute offered rate 0 bps, drop rate 0 bps
     Match: access-group 168 (15210210)
     police:
         cir 8000 bps, bc 4470 bytes
       conformed 0 packets, 0 bytes; actions:
         transmit
       exceeded 0 packets, 0 bytes; actions:
         drop
       conformed 0 bps, exceed 0 bps

   Class-map: cp-default (match-all) (14530241/2)
     151 packets, 11967 bytes
     5 minute offered rate 2000 bps, drop rate 0 bps
     Match: access-group 3 (1872818)

   Class-map: class-default (match-any) (9318433/0)
     3149 packets, 333931 bytes
     5 minute offered rate 1000 bps, drop rate 0 bps
     Match: any  (4397474)

Instead with a greater size:

Class-map: cp-icmp (match-all) (4925921/1)
     22 packets, 16896 bytes
     5 minute offered rate 2000 bps, drop rate 0 bps
     Match: access-group 168 (15210210)
     police:
         cir 8000 bps, bc 4470 bytes
       conformed 20 packets, 13888 bytes; actions:
         transmit
       exceeded 2 packets, 3008 bytes; actions:
         drop
       conformed 2000 bps, exceed 0 bps


Is there anyone with some idea or anyone that can share experience with 
me ?

Thanks
Gianluca
Italy


More information about the cisco-nsp mailing list