[c-nsp] Control Plane Policing
Saku Ytti
saku+cisco-nsp at ytti.fi
Thu Jun 1 12:44:12 EDT 2006
On (2006-06-01 12:12 +0200), hjan wrote:
> I have read cisco's doc about cpp and i've also read the good
> documentation written by John Kristoff about cpp
> in wich are included some implementation example.
> I do some test in our lab environment, a GSR 12410 with IOS 12.0(32)S2
> but i'm not satisfied with the result.
GSR off-loads ICMP echo replies to LC's, and to my experience they're
done before CoPP in LC CPU. That is, they never hit CoPP rules.
I'm not sure if I understood your explanation correctly, but if I did,
you managed to get ICMP matched in CoPP when you pinged with larger
than 1500 bytes, was it over the MTU? If so, then I guess LC CPU
doesn't handle fragments but passes those down to GRP/PRP, which
will result in working CoPP.
Also could you try to apply the CoPP rules in each slot separately,
there appears to be functional differences in them. In example,
when configured like you do, explicit-null packets never match
CoPP, but when configured to each slot, explicit-null packets
are matched by CoPP.
--
++ytti
More information about the cisco-nsp
mailing list