[c-nsp] Sup720 CoPP, limits on CPU performance

Phil Mayers p.mayers at imperial.ac.uk
Tue Mar 23 09:32:47 EDT 2010


On 23/03/10 13:17, Saku Ytti wrote:
> On (2010-03-23 08:56 -0400), Chris Griffin wrote:
>
>> The testing I did was about a year ago, but as I recall, with our
>> default deny any policy, traffic to hosts with no current ARP
>> adjacency would fail.  As soon as the glean rate limiter was
>> enabled, traffic started to flow normally.  Further tested
>> demonstrated the limitation with ACL behavior and due our heavy use
>> of outbound ACLs, we elected to track each interface IP in an object
>> group and apply heavy deny policies to those bits while allowing
>> glean and other unclassified traffic to hit a rate limited permit
>> policy.
>
> If the glean rate-limiter bypasses software CoPP, as it seems to do, why
> would you opt not to use it? Do you want to give priority to some glean
> traffic to avoid possible DoS scenario where legit hosts can't be gleaned
> due to attack.
>
>

I was told explicitly by Cisco not to use the glean rate limiter, as 
there are apparently non-trivial and non-obvious issues with it. I'll 
have to dig out the emails to remember why.


More information about the cisco-nsp mailing list