[c-nsp] Control Plane Policing
hjan
hjan at libero.it
Thu Jun 1 06:12:12 EDT 2006
Hello,
I have read cisco's doc about cpp and i've also read the good
documentation written by John Kristoff about cpp
in wich are included some implementation example.
I do some test in our lab environment, a GSR 12410 with IOS 12.0(32)S2
but i'm not satisfied with the result.
Suppose this sample conf:
access-list 168 permit icmp any loopback0 0.0.0.0
access-list 169 permit any
class-map cp-icmp
match access-group 168
class-map cp-default
match access-group 169
policy-map cp-traffic
class cp-icmp
police 8000 conform-action transmit exceed-action drop
class cp-default
priority
control-plane
service-policy input cp-traffic
Then i ping from a host or a router the loopback0 and i noticed that
only if i set an MTU or packet size > 1500,
in fact 1480 so with the standar ip header is always 1500, the policy
take effect.
In fact if i issue the sh policy-map control-plane with small packet
size all traffic seems to be matched
by the cp-default class:
Service-policy input: cp-traffic (225)
Class-map: cp-icmp (match-all) (4925921/1)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 168 (15210210)
police:
cir 8000 bps, bc 4470 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: cp-default (match-all) (14530241/2)
151 packets, 11967 bytes
5 minute offered rate 2000 bps, drop rate 0 bps
Match: access-group 3 (1872818)
Class-map: class-default (match-any) (9318433/0)
3149 packets, 333931 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: any (4397474)
Instead with a greater size:
Class-map: cp-icmp (match-all) (4925921/1)
22 packets, 16896 bytes
5 minute offered rate 2000 bps, drop rate 0 bps
Match: access-group 168 (15210210)
police:
cir 8000 bps, bc 4470 bytes
conformed 20 packets, 13888 bytes; actions:
transmit
exceeded 2 packets, 3008 bytes; actions:
drop
conformed 2000 bps, exceed 0 bps
Is there anyone with some idea or anyone that can share experience with
me ?
Thanks
Gianluca
Italy
More information about the cisco-nsp
mailing list