[c-nsp] Sup720 CoPP, limits on CPU performance
Saku Ytti
saku at ytti.fi
Mon Mar 22 17:35:55 EDT 2010
On (2010-03-22 20:49 +0000), Phil Mayers wrote:
> >In general this is a reasonable starting point, but the OP should be
> >aware that traffic which is not destined to the box, most notably
> >packets punted to CPU for arp lookup (glean) have CoPP applied, so a
> >deny on any particular class of traffic will mean packets matching the
> >ACL can never trigger a glean lookup.
> >
> >Whether this is important or not will depend on your traffic patterns;
> >it makes default-denying SSH if you have unix boxes tricky, for example.
>
> I should add that certain traffic patterns exacerbate this; for
> example we came across it in HSRP setups where inbound traffic comes
> in via the HSRP slave, and only the master had a current ARP entry.
Only possible explanation I can think of this is that you've been running
deny in 'class-default', defining 'class-default' is not good idea, but
explicitly having class to match all IP via ACL and drop packets in that
class.
Class-default in software likely will see ARP as you explain, but that is
not even the biggest problem, using class-default will eat MPLS label
lookup from superman (as it'll also match MPLS labeled packets), causing
recirculation for your L3 MPLS VPN customers.
Also people who run IS-IS would be rather sad if class-default would be
configured to drop everything.
--
++ytti
More information about the cisco-nsp
mailing list