[c-nsp] Cisco 6500/Sup720 ARP CoPP

[Brandon Ewing]

Some of the earlier threads today sparked me to re-check some CoPP I had
deployed to see if the ARP limiting I placed in was affective, as I had
experienced some episodes where it would take some time for the supervisor
to learn ARP entries for new links.  I found some confusing and misleading 
results, in both my counters, and the documentation on Cisco's site.  Any
input would be appreciated.

First I did "show mls qos protocol arp":

Int Mod Dir  Class-map DSCP  Agg  Trust Fl   AgForward-By   AgPoliced-By
                             Id         Id
-------------------------------------------------------------------------
 CPP  6  In CoPP-CLASS    0    8   dscp  0              0              0
 CPP  6  In class-defa    0    7   dscp  0      715557790      105287223

 All  6   -    Default    0    0*    No  0   173681814237              0

The first line is a class that matches "protocol arp" -- the fact that none
of my ARP traffic is matching this rule is disturbing, as the SXH
configuration guide states:

Layer 2 Protocols—Traffic used for address resolution protocol (ARP).
Excessive ARP packets can potentially monopolize RP resources, starving
other important processes; CoPP can be used to rate limit ARP packets to
prevent this situation. Currently, ARP is the only Layer 2 protocol that can
be specifically classified using the match protocol classification criteria. 

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/copp.html

However, in the same document, they also state:  

CoPP does not support ARP policies. ARP policing mechanisms provide
protection against ARP storms. 

This doesn't appear to be happening, as confirmed by "show policy-map
control-plane":

  Hardware Counters:

    class-map: CoPP-CLASS-ARP (match-all)
      Match: protocol arp
      police :
        8192000 bps 256000 limit 256000 extended limit
      Earl in slot 6 :
        0 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: transmit
        aggregate-forward 0 bps exceed 0 bps

Instead, the output from the first command seems to indicate that ARP
traffic is being matched by class-default, and is being rate-limited along
with other non-matched traffic.

A friend pointed me at 
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html
which documents "mls qos protocol arp police", but there is a qualifier
that states that this is not CoPP specific, as it will also rate-limit
switched ARP packets through the switch, not just those directed at the
router processor.

What are other providers using for CoPP configurations on their 6500s?  Is
it functioning correctly for you?  Are there any other pitfalls I should be
aware of?

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100209/3e6b6e96/attachment.bin>