[c-nsp] c6500: traffic routed to Null0 is seen in SPAN as CPU traffic

Michael Ulitskiy mulitskiy at acedsl.com
Mon Nov 16 16:43:59 EST 2009 

Hello,

I have the following hardware/software: 6509, SUP32, 12.2(33)SXH4.
Here's the story. I was doing CPU traffic profiling for CoPP. I've created CoPP with class-default basically measuring
traffic, but not limiting it:

policy-map CPP-IN
  class class-default
    police 256000 conform-action transmit exceed-action transmit

To my surprise I saw about 20M of traffic in CoPP class-default, most in hardware counters:

CORE1#sh policy-map control-plane input class class-default


 Control Plane Interface

  Service-policy input: CPP-IN

  Hardware Counters:

    class-map: class-default (match-any)
      Match: any
      police :
        256000 bps 8000 limit 8000 extended limit
      Earl in slot 5 :
        106459028196 bytes
        5 minute offered rate 17580264 bps
        aggregate-forwarded 106459028196 bytes action: transmit
        exceeded 0 bytes action: transmit
        aggregate-forward 16774272 bps exceed 0 bps

  Software Counters:

    Class-map: class-default (match-any)
      3242699 packets, 201814640 bytes
      5 minute offered rate 10000 bps, drop rate 0 bps

      Match: any

        3242700 packets, 201814640 bytes

        5 minute rate 10000 bps

      police:

          cir 256000 bps, bc 8000 bytes

        conformed 3243173 packets, 201843118 bytes; actions:

          transmit

        exceeded 19 packets, 1140 bytes; actions:

          transmit

        conformed 9000 bps, exceed 0 bps


Then I've enabled local SPAN session with RP CPU as a source. Here's the config:

interface Null0
 no ip unreachables
!
monitor session 1 type local
 source cpu rp tx
 destination interface Fa3/7 ingress learning
!
ip route 10.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0

Again to my surprise when I'm running tcpdump on the machine attached to Fa3/7 I see traffic to those null-routed subnets.
I always thought that null-routed traffic on a hardware platform shouldn't hit CPU.

There's no CPU problem on this box. The box is forwarding about 200M of traffic with CPU normally staying at 5%.
So I wonder if this is just cosmetic as I think I would definitely see more CPU usage on SUP32 if it really handled about 20M of traffic in software.
Has anybody see it? Any ideas?

Thanks,

Michael

More information about the cisco-nsp mailing list