[c-nsp] Sup720 CoPP, limits on CPU performance
Gert Doering
gert at greenie.muc.de
Wed Mar 24 05:28:57 EDT 2010
Hi,
On Wed, Mar 24, 2010 at 09:55:40AM +0200, Saku Ytti wrote:
> On (2010-03-23 21:55 +0100), Gert Doering wrote:
>
> > "receive ACL" comes to mind.
> >
> > I've never understood why this is not available in all platforms.
>
> 6500 CoPP is superior to GSR rACL, rACL is done in LC CPU, punt path to LC
> CPU is already easily dossable and LC CPU performance pukes out rather
> easily. There is no way to make IOS GSR undossable, while with 6500 you can
> make it undossable, as long as attacker is not in L2.
That's implementation details.
What I want, as a router admin, is an easy way to tell the box "drop /
rate-limit all packets to all IP addresses configured on this box" - without
adverse effects on transit packets etc.
The nice thing about receive ACLs is that it automagically applies itself
only to, well, "receive traffic".
How a specific hardware maps this to the available hardware ACLs, hardware
rate-limiting machinery, etc., is something Cisco needs to make work in an
optimal way (and it will not work as well on all platforms) - but the key
thing is that the admin does not have to enumerate all the boxes' IP
addresses if the box already knows what its IP addresses are...
(So in general, I agree with you, I just want a more fool-proof way to
configure CoPP-drop-default in a way that has no surprising side-effects)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100324/29789188/attachment.bin>
More information about the cisco-nsp
mailing list