[c-nsp] CoPP not catching software-switched CEF
Phil Bedard
philxor at gmail.com
Wed Dec 19 08:58:14 EST 2007
match-all works, but I don't think you can use it with multiple match
clauses. I've only ever really used match-all and it works fine for
CoPP on the Sup720/RSP720. The hardware counters certainly
increment, and CoPP blocks bad traffic with no CPU hit.
Phil
On Dec 19, 2007, at 3:20 AM, Saku Ytti wrote:
>
>>> match-all is not supported.
>>
>> The config is loaded "class-map copp-ip" and the "match-all" is
>> added by
>> the mucular QoS conflaguraterator by itsself. The docs (and most
>> other examples
>> I've seen) seem to use "match-all". In general the CoPP filter in
>> place has
>> usefully blocked plenty of other stuff in the past (mostly ICMP &
>> UDP floods)
>> while preserving protocol traffic as normal:
>
> I would refine it as 'class-map match-any copp-ip'. Of course you
> appear
> only to have one rule there, so I'm not sure if there any problem
> there. But I
> know CoPP doesn't support match-all. I wish it did, because then I
> could do
> stuff like this:
> class-match match-all CoPP-ALLOW_BGP_FROM_CORE
> match access-group name CORELOOPS
> match access-group name BGP
> class-match match-all CoPP-ALLWO_LDP_FROM_CORE
> match access-group name CORELOOPS
> match access-group name LDP
> !
>
> Now, as this is not supported, if I want exactly same effect, I need
> to
> maintain CORELOOPS_BGP, CORELOOP_LDP etc ACL's with mostly duplicate
> info.
>>
More information about the cisco-nsp
mailing list