[c-nsp] Cisco 6500/Sup720 ARP CoPP
Saku Ytti
saku at ytti.fi
Wed Feb 10 04:45:44 EST 2010
On (2010-02-10 09:17 +0000), Phil Mayers wrote:
> >I assume that ipv6 nd is sufficiently high up the protocol stack that it
> >can be managed by copp?
>
> Off the top of my head I think CoPP is run in software for ipv6 traffic.
Actually it is fully supported in hardware, I was also long under
impression it is not.
Of course one has to remember the ACL compression issue, PFC3 does not have
enough bits in ACL TCAM for full IPv6 data, so you can decide one of two
way to operate
a) default
- lookup up-to /128 in ACL is in hardware
- lookup to L4 data is punted
b) compressed
- lookup up-to /88 is in hardware
- lookup past /88 is punted
- lookup to L4 ports and flags are hardware (16+16+8+88 -> 128)
I would argue that default is mostly useless and that you want to run your
system in compressed mode. Just remember always to round the IP lookup to
/88, usually this shouldn't be any security concern, as you assign so large
netblocks that all hosts inside /88 would have same security posture.
--
++ytti
More information about the cisco-nsp
mailing list