[c-nsp] Sup720 CoPP, limits on CPU performance

Dobbins, Roland rdobbins at arbor.net
Wed Mar 24 06:15:29 EDT 2010 

On Mar 24, 2010, at 4:46 PM, Saku Ytti wrote:

> I've seen you arguing this issue to quite few people now, all whom run
> operational networks of non-trivial size.


And I've implemented it on operational networks of non-trivial size for which I myself was responsible, as well as having worked with others responsible for networks of non-trivial size to implement.

So, having having implemented iACLs myself and helped others do so, I fail to see why they seem so scary to some folks, heh.

> For many of us, it is not feasible to do them in every border interface in
> the network, and this is why we deploy CoPP.

Why isn't it feasible, when it's feasible on the peering/transit edge?

> I find it less amazing, it is non-technical debate, customer provisioning
> and core network are politically often very detached, it would be
> politically very difficult effort for many to get iACL deploy.

Because different groups own the routers?

The groups owning the customer edge routers don't want to protect themselves?

But you indicated that those same customer edge routers can be configured w/CoPP.  Why is this somehow considered easier to accomplish than getting an iACL with 'permit ip any any' at the end of it deployed on the customer edge interfaces?

> My iACL is about 300 lines, I have no interest to investigate how it'll fit
> to dozens of access L3 devices we have, with 100k's of interfaces when no
> one is wanting it and there is no proven problem to fix.

300 lines is nothing, it'll fit just fine on any modern router with LCs which support ACLs in hardware, as long as it's properly constructed.

>  If it blows up in my face, it's my fault, if it works there is no glory, as we rarely (so far never) gotten attacks from access customers.

How exactly would it blow up in your face?

How exactly is CoPP *not* viewed as having the potential to blow up in your face, especially as it's far more complex to configure than iACLs?

>  CoPP is low hanging fruit in this respect.

It seems to me that as you seemed to imply above, there's not actually a technical barrier to iACL deployment, but rather that folks seem to be scared of ACLs, for some reason.  Why do ACLs raise hackles (pardon the pun, heh), whilst CoPP, a much more complex, much less commonly-deployed-and-understood mechanism, seems to evoke no comment?

Is it because some folks are simply unduly hyper-sensitive to ACL deployments based upon poor ACL construction practices resulting in outages in the past?  Is it because folks falsely believe that CoPP can't have a negative impact on data-plane traffic, if improperly deployed?

Of course, misapplying CoPP can cause outages, and can also prove far more difficult to troubleshoot and diagnose than iACLs.

> Like ever decreasing profit margins of pushing IP bytes around? Or actual low demand for quality by customers? If your customer is doing doing lot crappier network with slightly better price, your customers are there.

Like, there's simply no way to defend an edge consisting of these old, obsolete linecards which should've been replaced many years ago.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

More information about the cisco-nsp mailing list