[c-nsp] Sup720 CoPP, limits on CPU performance

Tim Durack tdurack at gmail.com
Mon Mar 22 22:23:37 EDT 2010


On Mon, Mar 22, 2010 at 5:35 PM, Saku Ytti <saku at ytti.fi> wrote:
> On (2010-03-22 20:49 +0000), Phil Mayers wrote:
>
>> >In general this is a reasonable starting point, but the OP should be
>> >aware that traffic which is not destined to the box, most notably
>> >packets punted to CPU for arp lookup (glean) have CoPP applied, so a
>> >deny on any particular class of traffic will mean packets matching the
>> >ACL can never trigger a glean lookup.
>> >
>> >Whether this is important or not will depend on your traffic patterns;
>> >it makes default-denying SSH if you have unix boxes tricky, for example.
>>
>> I should add that certain traffic patterns exacerbate this; for
>> example we came across it in HSRP setups where inbound traffic comes
>> in via the HSRP slave, and only the master had a current ARP entry.
>
> Only possible explanation I can think of this is that you've been running
> deny in 'class-default', defining 'class-default' is not good idea, but
> explicitly having class to match all IP via ACL and drop packets in that
> class.
> Class-default in software likely will see ARP as you explain, but that is
> not even the biggest problem, using class-default will eat MPLS label
> lookup from superman (as it'll also match MPLS labeled packets), causing
> recirculation for your L3 MPLS VPN customers.
>
> Also people who run IS-IS would be rather sad if class-default would be
> configured to drop everything.
> --
>  ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

CoPP is quite challenging on the 6500.

We've finally come down to a class per protocol. Some oddities include
bfd not matching acl entries but apparently matching the class and
being policed correctly (is this because bfd runs on the sp?)

Not being able to differntiate receive from glean traffic is a huge
problem. This makes it difficult/impossible to permit approved control
plane traffic, then deny everything else. If you do, glean traffic
won't hit the control plane, causing arp failures. Not fun.

According to N7K docs, this is all fixed in EARL8...

-- 
Tim:>



More information about the cisco-nsp mailing list