[c-nsp] Sup720 CoPP, limits on CPU performance
Saku Ytti
saku at ytti.fi
Mon Mar 22 15:56:06 EDT 2010
On (2010-03-22 12:45 -0700), Mack McBride wrote:
> Dropping all remaining IP leads to some odd behavior since traffic not destined for the router can get process switched, that traffic would get dropped. It is better to drop unsolicited traffic aimed at router interface ips. And rate limit the remaining traffic to some reasonable level to allow process switched traffic to get through.
Such traffic could be e.g. uRPF ACL, or ACL permit entry with log, neither
which I do. Also IP options naturally are process switched, which I police
to 10pps.
Generally prerequisite for control plane policing is understanding
explicitly what the box is doing. If you need to generally forward
something in software in 7600, you are likely using wrong box.
If you don't know for sure what needs to be allowed, only thing you're
doing is putting bad and good traffic in same queue, making box drop the
good traffic earlier than it would do without CoPP.
--
++ytti
More information about the cisco-nsp
mailing list