[c-nsp] Sup720 CoPP, limits on CPU performance
Saku Ytti
saku at ytti.fi
Mon Mar 22 15:21:26 EDT 2010
On (2010-03-22 19:05 +0100), Peter Rathlev wrote:
> As another viewpoint I'd like to know how I can assess what amount of
> traffic I can safely send to the Sup720 CPU. Would anyone have any
> numbers for that, i.e. how much broadcast I can "safely" allow in a CoPP
> policy if I were to not look at that baseline at all?
SUP720-3BXL had issues to manage 5Mbps of SYN/BGP and generally 10Mbps of
minimum size frames (about 20kpps) is what I could manage in 2006 with SRA
without affecting IS-IS or LDP.
I'd recommend very generic and simple CoPP
1) allow trusted sources, MGMT, core links, core loops
2) allow important untrusted SYN, eBGP neighbours
3) allow important untrusted, eBGP !SYN
4) allow unimportant icmp, udp traceroute, hsrp, vrrp, dns, ntp, dhcp, multicast
5) drop all remaining IP
Unfortunately policing is for bps not pps. Also documentation is bit flaky,
but IPv6 is supported (enable compression) and ARP is not supported.
Also amount of MLS rate-limiters should be bit higher.
Prior to deploying CoPP we very often used telnet from PE to customer mail
server and such for troubleshooting, unfortunately with CoPP it's not very
easy. It would be nice if IOS telnet would accept source port, so you could
allow some low bps back to that port from every address. To workaround
with this, on top of CoPP list we have CoPP-DENY and CoPP-PERMIT box
specific hack ACL's where we can add ad'hoc entries.
--
++ytti
More information about the cisco-nsp
mailing list