[c-nsp] Sup720 CoPP, limits on CPU performance
Mack McBride
mack.mcbride at viawest.com
Mon Mar 22 15:45:05 EDT 2010
Dropping all remaining IP leads to some odd behavior since traffic not destined for the router can get process switched, that traffic would get dropped. It is better to drop unsolicited traffic aimed at router interface ips. And rate limit the remaining traffic to some reasonable level to allow process switched traffic to get through.
LR Mack McBride
Network Architect
Viawest Inc.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Monday, March 22, 2010 1:21 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Sup720 CoPP, limits on CPU performance
On (2010-03-22 19:05 +0100), Peter Rathlev wrote:
> As another viewpoint I'd like to know how I can assess what amount of
> traffic I can safely send to the Sup720 CPU. Would anyone have any
> numbers for that, i.e. how much broadcast I can "safely" allow in a CoPP
> policy if I were to not look at that baseline at all?
SUP720-3BXL had issues to manage 5Mbps of SYN/BGP and generally 10Mbps of
minimum size frames (about 20kpps) is what I could manage in 2006 with SRA
without affecting IS-IS or LDP.
I'd recommend very generic and simple CoPP
1) allow trusted sources, MGMT, core links, core loops
2) allow important untrusted SYN, eBGP neighbours
3) allow important untrusted, eBGP !SYN
4) allow unimportant icmp, udp traceroute, hsrp, vrrp, dns, ntp, dhcp, multicast
5) drop all remaining IP
Unfortunately policing is for bps not pps. Also documentation is bit flaky,
but IPv6 is supported (enable compression) and ARP is not supported.
Also amount of MLS rate-limiters should be bit higher.
Prior to deploying CoPP we very often used telnet from PE to customer mail
server and such for troubleshooting, unfortunately with CoPP it's not very
easy. It would be nice if IOS telnet would accept source port, so you could
allow some low bps back to that port from every address. To workaround
with this, on top of CoPP list we have CoPP-DENY and CoPP-PERMIT box
specific hack ACL's where we can add ad'hoc entries.
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list