[c-nsp] Sup720 CoPP, limits on CPU performance

Chris Griffin cgriffin at ufl.edu
Tue Mar 23 09:20:04 EDT 2010


Because on the PFC3B, mls HWRL glean traffic is subject to the outbound 
ACL of the input interface.  If it didn't have this "feature" we would 
use the glean rate limiter.  Its far easier for us to track interface 
IPs than it is to re-write all of our outbound ACLs to account for 
inbound glean traffic.

Tnx
Chris

On 3/23/2010 9:17 AM, Saku Ytti wrote:
> On (2010-03-23 08:56 -0400), Chris Griffin wrote:
>
>> The testing I did was about a year ago, but as I recall, with our
>> default deny any policy, traffic to hosts with no current ARP
>> adjacency would fail.  As soon as the glean rate limiter was
>> enabled, traffic started to flow normally.  Further tested
>> demonstrated the limitation with ACL behavior and due our heavy use
>> of outbound ACLs, we elected to track each interface IP in an object
>> group and apply heavy deny policies to those bits while allowing
>> glean and other unclassified traffic to hit a rate limited permit
>> policy.
>
> If the glean rate-limiter bypasses software CoPP, as it seems to do, why
> would you opt not to use it? Do you want to give priority to some glean
> traffic to avoid possible DoS scenario where legit hosts can't be gleaned
> due to attack.
>
>

-- 
Chris Griffin                           cgriffin at ufl.edu
Sr. Network Engineer - CCNP             Phone: (352) 273-1051
CNS - Network Services                  Fax:   (352) 392-9440
University of Florida/FLR               Gainesville, FL 32611


More information about the cisco-nsp mailing list