[c-nsp] Sup720 CoPP, limits on CPU performance

Saku Ytti saku at ytti.fi
Wed Mar 24 05:03:04 EDT 2010 

> > Because on the PFC3B, mls HWRL glean traffic is subject to the
> > outbound ACL of the input interface.  If it didn't have this
> > "feature" we would use the glean rate limiter.  Its far easier for
> > us to track interface IPs than it is to re-write all of our outbound
> > ACLs to account for inbound glean traffic.

I failed to reproduce this

6500/1 -> 6500/2 -> LAN

6500/1 is sending packet to LAN
6500/2 has CoPP which denies all IP after allowing core addresses (ICMP is not allowed)
6500/2 has glean rate-limiter
6500/2 has outbound ACL of the inbound interface, that is ACL towards packets sent to 6500/1
6500/2 is sending ARP WHO HAS towards LAN



6500/1#sh ip cef 10.10.30.42   
10.10.30.0/24
  nexthop 10.10.20.2 GigabitEthernet1/6

6500/2#show ru int giga1/2 | i address|access
 ip address 10.10.20.2 255.255.255.0
 ip access-group YTTI-TEST out

6500/2#sh ip cef 10.10.30.42
10.10.30.0/24
  attached to GigabitEthernet1/3

6500/1#ping 10.10.30.42        
.....

6500/2 observes:
Mar 24 09:46:03.967 CET: IP ARP: creating incomplete entry for IP address: 10.10.30.42 interface GigabitEthernet1/3


CoPP is not allowing anything to 10.0.0.0/8 at all. Only allowing 3 networks
and denying everything else, not even allowing ICMP.
Just to be sure, I added same outbound ACL to GigabitEthernet1/3, no luck.

6500/1#show tcam interface GigabitEthernet1/3 acl out ip
6500/1#show tcam interface GigabitEthernet1/2 acl out ip
both yield:
Entries from Bank 1
    deny         icmp 10.10.30.0 0.0.0.255 any
    deny         icmp any 10.10.30.0 0.0.0.255 (15 matches)
    permit       ip any any


If I remove mls rate-limiter for glean, sure enough glean stops working. But I
can't reproduce the ACL problem, what am I doing wrong?




Even if it would work, does this really matter?
core -> 6500 -> customer

If glean comes from core, why would you run ACL to core? Often it would be MPLS
interface and ACL's won't even work.
>From customer you really wouldn't even see glean typically, as it would be ARP
mostly? I understand that there can be scenarios where the ACL issue might
affect you, but I'd like to argue that if it exists, it won't affect most
people at all.


-- 
  ++ytti

More information about the cisco-nsp mailing list