[c-nsp] Sup720 CoPP, limits on CPU performance

Phil Mayers p.mayers at imperial.ac.uk
Tue Mar 23 08:18:32 EDT 2010


On 23/03/10 12:15, Ross Vandegrift wrote:
> On Mon, Mar 22, 2010 at 12:45:05PM -0700, Mack McBride wrote:
>> Dropping all remaining IP leads to some odd behavior since traffic
>> not destined for the router can get process switched, that traffic
>> would get dropped.  It is better to drop unsolicited traffic aimed
>> at router interface ips. And rate limit the remaining traffic to
>> some reasonable level to allow process switched traffic to get
>> through.
>
> People always say this, but I wasn't able to get this working.  I
> implemented CoPP on a pair of misbehaving 6500s with the express
> intention of breaking most process switching.
>
> CoPP is generally working fine.  My policy is similar to the strategy
> described by the previous poster (permit routing protocols, permit a
> few management IPs, permit and ratelimit ICMP, drop everything else).
> All of this works as advertised when the destination address of a
> packet is the router.  But the boxes will still punt and software
> switch transit traffic.

Interesting. We saw the opposite; transit traffic being punted (for 
glean) and dropped by CoPP, so the ARP resolution would never succeed.

What sup/PFC versions? Were you using "class-default" or a "match all" ACL.

I wish this stuff were more consistent...


More information about the cisco-nsp mailing list