[c-nsp] Sup720 CoPP, limits on CPU performance
Saku Ytti
saku at ytti.fi
Wed Mar 24 05:03:04 EDT 2010
> > Because on the PFC3B, mls HWRL glean traffic is subject to the
> > outbound ACL of the input interface. If it didn't have this
> > "feature" we would use the glean rate limiter. Its far easier for
> > us to track interface IPs than it is to re-write all of our outbound
> > ACLs to account for inbound glean traffic.
I failed to reproduce this
6500/1 -> 6500/2 -> LAN
6500/1 is sending packet to LAN
6500/2 has CoPP which denies all IP after allowing core addresses (ICMP is not allowed)
6500/2 has glean rate-limiter
6500/2 has outbound ACL of the inbound interface, that is ACL towards packets sent to 6500/1
6500/2 is sending ARP WHO HAS towards LAN
6500/1#sh ip cef 10.10.30.42
10.10.30.0/24
nexthop 10.10.20.2 GigabitEthernet1/6
6500/2#show ru int giga1/2 | i address|access
ip address 10.10.20.2 255.255.255.0
ip access-group YTTI-TEST out
6500/2#sh ip cef 10.10.30.42
10.10.30.0/24
attached to GigabitEthernet1/3
6500/1#ping 10.10.30.42
.....
6500/2 observes:
Mar 24 09:46:03.967 CET: IP ARP: creating incomplete entry for IP address: 10.10.30.42 interface GigabitEthernet1/3
CoPP is not allowing anything to 10.0.0.0/8 at all. Only allowing 3 networks
and denying everything else, not even allowing ICMP.
Just to be sure, I added same outbound ACL to GigabitEthernet1/3, no luck.
6500/1#show tcam interface GigabitEthernet1/3 acl out ip
6500/1#show tcam interface GigabitEthernet1/2 acl out ip
both yield:
Entries from Bank 1
deny icmp 10.10.30.0 0.0.0.255 any
deny icmp any 10.10.30.0 0.0.0.255 (15 matches)
permit ip any any
If I remove mls rate-limiter for glean, sure enough glean stops working. But I
can't reproduce the ACL problem, what am I doing wrong?
Even if it would work, does this really matter?
core -> 6500 -> customer
If glean comes from core, why would you run ACL to core? Often it would be MPLS
interface and ACL's won't even work.
>From customer you really wouldn't even see glean typically, as it would be ARP
mostly? I understand that there can be scenarios where the ACL issue might
affect you, but I'd like to argue that if it exists, it won't affect most
people at all.
--
++ytti
More information about the cisco-nsp
mailing list