[c-nsp] Sup720 CoPP, limits on CPU performance
Chris Griffin
cgriffin at ufl.edu
Tue Mar 23 09:20:04 EDT 2010
Because on the PFC3B, mls HWRL glean traffic is subject to the outbound
ACL of the input interface. If it didn't have this "feature" we would
use the glean rate limiter. Its far easier for us to track interface
IPs than it is to re-write all of our outbound ACLs to account for
inbound glean traffic.
Tnx
Chris
On 3/23/2010 9:17 AM, Saku Ytti wrote:
> On (2010-03-23 08:56 -0400), Chris Griffin wrote:
>
>> The testing I did was about a year ago, but as I recall, with our
>> default deny any policy, traffic to hosts with no current ARP
>> adjacency would fail. As soon as the glean rate limiter was
>> enabled, traffic started to flow normally. Further tested
>> demonstrated the limitation with ACL behavior and due our heavy use
>> of outbound ACLs, we elected to track each interface IP in an object
>> group and apply heavy deny policies to those bits while allowing
>> glean and other unclassified traffic to hit a rate limited permit
>> policy.
>
> If the glean rate-limiter bypasses software CoPP, as it seems to do, why
> would you opt not to use it? Do you want to give priority to some glean
> traffic to avoid possible DoS scenario where legit hosts can't be gleaned
> due to attack.
>
>
--
Chris Griffin cgriffin at ufl.edu
Sr. Network Engineer - CCNP Phone: (352) 273-1051
CNS - Network Services Fax: (352) 392-9440
University of Florida/FLR Gainesville, FL 32611
More information about the cisco-nsp
mailing list