[c-nsp] reflexive ACL on 6500 + CoPP

Antal GERGELY antal.gergely at hu.digi.tv
Fri Oct 31 03:28:48 EDT 2008


Michael Malitsky wrote:
> I would like to complicate the original question: having enabled CoPP on the same box I've run into a situation whereby several ACEs on some reflexive ACLs stopped matching/processing.  I tried removing/reapplying the ACLs, recreating them, clearing mls table, no dice.  As soon as I remove CoPP they start functioning normally, as soon as I apply CoPP these same ACEs stop.  This affects only reflexive ACEs, as rewriting them as 'standard' ACEs also fixes the issue.  
> For a while I thought the problem was caused by the CoPP transmit ceiling being set too low, and the flow setup packets that are punted to MSFC being dropped.  However, changing the CoPP policy to transmit everything, for all classes, did not help.  Only disabling the CoPP policy.
> Is there some interaction between the features?
> 
> Also, on the subject of CoPP, can anyone suggest how to go about classifying traffic and setting limits for CoPP?  I've identified obvious things like routing protocols, various management tools, etc.  The catch-all class still shows quite a bit of traffic, and I am stomped on how to identify what it is.  I understand some of that is packets punted to MSFC, but again, how do I identify/classify them?
> 
> Thank you,
> Michael
> 
> 

You can capture the traffic with wireshark,tcpdump,etc...

For example on a Sup720 (in slot 5) you can do:

monitor session 1 source interface GigabitEthernet2/2 !(any int witch is in admin down)
monitor session 1 destination interface GigabitEthernet5/2 !(capture machine connected to the SUP)
remote command switch test monitor add 1 rp-inband tx



-- 
Antal GERGELY

Backbone Network Department
IP Services
DIGI KFT
Budapest Vaci ut 35.
H-1134
Hungary


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081031/f9c7ab50/attachment.bin>


More information about the cisco-nsp mailing list