[c-nsp] Sup720 CoPP, limits on CPU performance

Phil Mayers p.mayers at imperial.ac.uk
Tue Mar 23 09:31:45 EDT 2010


On 23/03/10 13:03, Tim Durack wrote:
> On Tue, Mar 23, 2010 at 8:56 AM, Chris Griffin<cgriffin at ufl.edu>  wrote:
>> The testing I did was about a year ago, but as I recall, with our default
>> deny any policy, traffic to hosts with no current ARP adjacency would fail.
>>   As soon as the glean rate limiter was enabled, traffic started to flow
>> normally.  Further tested demonstrated the limitation with ACL behavior and
>> due our heavy use of outbound ACLs, we elected to track each interface IP in
>> an object group and apply heavy deny policies to those bits while allowing
>> glean and other unclassified traffic to hit a rate limited permit policy.
>
> That is the direction we are headed. Seems stoopid though.
>

What's even more annoying is that the damn box KNOWS ITS OWN IPs.

Cisco: how about a built-in, dynamically rebuilt object group for each 
receive adjacency?


More information about the cisco-nsp mailing list