[c-nsp] Sup720 CoPP, limits on CPU performance

Saku Ytti saku at ytti.fi
Wed Mar 24 05:46:24 EDT 2010 

On (2010-03-24 09:24 +0000), Dobbins, Roland wrote:

> Of course it's feasible - *far more so* than rACL or CoPP, IMHO.  It's easier to accomplish and apply.

I've seen you arguing this issue to quite few people now, all whom run
operational networks of non-trivial size. All of us are running iACL, but
typically we do them only in peering and upstream transit.
For many of us, it is not feasible to do them in every border interface in
the network, and this is why we deploy CoPP.

> It's amazing how folks seem to grossly overestimate the effort required to implement this simple, direct concept.  It isn't hard to do, it requires far less detailed knowledge of the 'to-me' traffic one's routers encounter, and is generalizable across multiple platforms.

I find it less amazing, it is non-technical debate, customer provisioning
and core network are politically often very detached, it would be
politically very difficult effort for many to get iACL deploy.

> I guess people are so used to messing around with relatively dynamic policy ACLs that they have it fixed in their heads that any ACL is going to be complex and a hassle to maintain.
> 
> Not so with iACLs, given that it's going to be relatively small and also relatively static.

My iACL is about 300 lines, I have no interest to investigate how it'll fit
to dozens of access L3 devices we have, with 100k's of interfaces when no
one is wanting it and there is no proven problem to fix.  If it blows up in
my face, it's my fault, if it works there is no glory, as we rarely (so far
never) gotten attacks from access customers. 
CoPP is low hanging fruit in this respect.


> > Of course if you are running older linecards, ingress ACL may not have
> > hardware, but is purely in software (E0, E1).
> 
> If one is still running these on one's edges, one has larger problems, heh.

Like ever decreasing profit margins of pushing IP bytes around? Or actual
low demand for quality by customers? If your customer is doing doing lot
crappier network with slightly better price, your customers are there.

-- 
  ++ytti

More information about the cisco-nsp mailing list