[c-nsp] Sup720 CoPP, limits on CPU performance
Daniel Dib
daniel.dib at reaper.nu
Wed Mar 24 01:29:07 EDT 2010
On 3/24/10 01:33 Dunn, Rodney wrote
>I didn't want to plug for myself so thanks. ;)...as we are going to
>present the OPSEC WG in about 10 minutes at IETF. ;)
>In this draft we want to raise the awareness of protecting the control
>plane and give a simplistic and minimalistic example. No two deployments
>are the same so it's critical they be tested and constantly evaluated
>for changes needed which is why we kept it somewhat general.
>Rodney
Hi Rodney,
I think it's great that someone is writing a BCP for policing of the
control-plane. I have some questions about the design of the policy. In the
policy you drop everything in class class-default which won't allow IS-IS. I
know you don't run this in your setup but since people might use your policy
maybe you should mention this. I also whonder why you don't rate-limit any
of the other classes. If your IGP or SNMP-server goes berserk it could have
serious affect on the control-plane of the router. I suppose that you did
not do any tests on the mls rate-limiters? I feel those are the hardest to
come up with good values for. 2 Mbit of ICMP seems like a bit of overkill
but the router can handle it so it's not really a big issue, I usually
divide my ICMP in "trusted" ICMP and untrusted ICMP though.
/Daniel
On 3/23/10 4:01 PM, Buhrmaster, Gary wrote:
>> Can there really *BE* a best practices for the 6500 when you either can't
>> configure a drop action in your default, or you risk
rate-limiting/dropping
>> ARP gleans?
>
> Well, here is some guidance for CoPP, authored by
> a number of people from Cisco and Juniper:
>
> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02
>
> As always, YMWV.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list