[c-nsp] ACK/RST rate-limit?

Nemeth Laszlo csirek at cooler.hu
Wed Nov 5 09:51:47 EST 2008 

Hi,

Gert Doering wrote:
> It needs a bit of consideration what sort of packets the router is meant
> to receive ("routing protocols", anyone?) and you should lab-test it before
> rolling out on production routers.

It's a border test router with BGP and OSPF.

I made a config from this page:

http://aharp.ittns.northwestern.edu/papers/copp.html

Now i'm flooding my router with SYN packets and it's interesting...

Whitout control-plane policy the cpu goes on 100%. This normal :)

If i set the CPP the CPU in every 4. minutes goes up to 100% until 20 
seconds and go back down to 0-2% until the next 4 minutes. And again 
goes up...

It's the cpu "log":

 > show processes cpu | exclude 0\.00\%  0\.00\%  0\.00\%
CPU utilization for five seconds: 79%/79%;one minute: 6%;five minutes:2%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
    3       23872     29219        817  0.00%  0.07%  0.05%   0 Exec 

    5       24736      1940      12750  0.00%  0.23%  0.18%   0 Check hea
   37        4388       204      21509  0.00%  0.02%  0.00%   0 Per-minu
  122      589744   2731281        215  0.00%  0.01%  0.23%   0 IP Input 

  179        3532     17519        201  0.00%  0.02%  0.00%   0 CEF proce

after 4 sec:

tartalek_6500#cpu
CPU utilization for five seconds: 96%/8%;one minute: 14%;five minutes:3%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
    3       23884     29224        817  0.07%  0.07%  0.05%   0 Exec 

    5       24736      1940      12750  0.00%  0.21%  0.18%   0 Check hea
   37        4388       204      21509  0.00%  0.02%  0.00%   0 Per-minut
  122      591616   2731775        216 87.91%  7.05%  1.69%   0 IP Input 

  179        3532     17522        201  0.07%  0.02%  0.00%   0 CEF proce

after 4 sec:

CPU utilization for five seconds: 50%/32%;one minute:17%;five minutes:4%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
    3       23912     29234        817  0.39%  0.09%  0.06%   0 Exec 

    5       24736      1940      12750  0.00%  0.19%  0.17%   0 Check hea
   37        4388       204      21509  0.00%  0.02%  0.00%   0 Per-minut
  122      592324   2732929        216 17.59%  7.89%  1.95%   0 IP Input 

  179        3532     17528        201  0.00%  0.02%  0.00%   0 CEF 
process

after 4 sec:
CPU utilization for five seconds: 1%/0%; one minute: 15%;five minutes:4%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
    3       23944     29244        818  0.79%  0.15%  0.07%   0 Exec 

    5       24736      1940      12750  0.00%  0.18%  0.17%   0 Chec 
heap
   37        4388       204      21509  0.00%  0.01%  0.00%   0 Per-minut
  122      592324   2733929        216  0.07%  7.26%  1.92%   0 IP Input 

  179        3532     17534        201  0.00%  0.02%  0.00%   0 CEF proce


This 0% cpu is to the next 4 minutes.

It's a Sup720-3BXL with 12.2.18SXF6. I know it's not a new IOS, but it's 
very stable in my network.

My policy config is:

class-map match-all cp-normal-in
   description Control plane normal traffic
   match access-group name cp-normal-in
class-map match-all cp-critical-in
   description Control plane critcal traffic
   match access-group name cp-critical-in
class-map match-any cp-undesirable-in
   description Control plane undesirable traffic
   match access-group name cp-undesirable-in
class-map match-all cp-important-in
   description Control plane important traffic
   match access-group name cp-important-in
class-map match-all cp-default-in
   description Control plane default traffic
   match access-group 2
!
!
policy-map control-plane-in
   class cp-critical-in
   class cp-important-in
    police cir 128000 bc 24000 be 48000 conform-action transmit 
exceed-action drop violate-action drop
   class cp-normal-in
    police cir 32000 bc 1500 be 1500 conform-action transmit 
exceed-action drop violate-action drop
   class cp-undesirable-in
    police cir 32000 bc 1000 be 1000 conform-action transmit 
exceed-action drop violate-action drop
   class cp-default-in
    police cir 128000 bc 1500 be 1500 conform-action transmit 
exceed-action drop violate-action drop
!
ip access-list extended cp-critical-in
  remark Control plane critical traffic - inbound
  remark OSPF
  permit ospf host 10.0.0.101 any
  permit ospf host 10.0.0.102 any
  remark PIM
  permit pim host 10.0.0.101 any
  permit pim host 10.0.0.102 any
  remark IGMP
  permit igmp any 224.0.0.0 15.255.255.255
  remark BGP
  permit tcp host 10.0.0.101 eq bgp host 10.0.0.1
  permit tcp host 10.0.0.102 host 10.0.0.1 eq bgp
  deny   ip any any
ip access-list extended cp-important-in
  remark Control plane important traffic - inbound
  remark SSH/TELNET
  permit tcp 10.0.0.0 0.0.0.255 any range 22 telnet
  deny   ip any any
ip access-list extended cp-normal-in
  remark Control plane normal traffic - inbound
  remark ICMP
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any parameter-problem
  permit icmp any any time-exceeded
  permit icmp any any unreachable
  deny   ip any any
ip access-list extended cp-undesirable-in
  remark Control plane undesirable traffic - inbound
  remark NTP
  permit udp any any eq ntp
  remark SNMPTRAP
  permit udp any any eq snmptrap
  deny   ip any any
!
access-list 2 remark utility ACL to allow everything
access-list 2 permit any



If I set the CIR from 128000 to 32000 in cp-default-in class, i see a 
very litle cpu load between the 100%, but this wave is on every 4 
minutes... So i thing the 4 minutes wave caused by CPP settings.  But why??

Laszlo

More information about the cisco-nsp mailing list