[c-nsp] Sup720 CoPP, limits on CPU performance
Rodney Dunn
rodunn at cisco.com
Wed Mar 24 22:31:46 EDT 2010
On 3/24/10 1:29 AM, Daniel Dib wrote:
>
>
> On 3/24/10 01:33 Dunn, Rodney wrote
>
>> I didn't want to plug for myself so thanks. ;)...as we are going to
>> present the OPSEC WG in about 10 minutes at IETF. ;)
>
>> In this draft we want to raise the awareness of protecting the control
>> plane and give a simplistic and minimalistic example. No two deployments
>> are the same so it's critical they be tested and constantly evaluated
>> for changes needed which is why we kept it somewhat general.
>
>> Rodney
>
> Hi Rodney,
>
> I think it's great that someone is writing a BCP for policing of the
> control-plane. I have some questions about the design of the policy. In the
> policy you drop everything in class class-default which won't allow IS-IS. I
> know you don't run this in your setup but since people might use your policy
> maybe you should mention this.
;)..it was a typo on the conform on my part. It's already slated for
correction in rev -03.
I also whonder why you don't rate-limit any
> of the other classes. If your IGP or SNMP-server goes berserk it could have
> serious affect on the control-plane of the router.
The huge challenge we have is we wanted to expose new/mid level
operators to the concept without losing them in complexity. That's why
we chose to show the filter on the subnet for a known peer..although we
all know that could be spoofed, go "berserk" ;). We will have to go
through some more iterations but we were persistent that we don't want
to go in to a configuration where someone would think they could just
cut and paste to the router.
I suppose that you did
> not do any tests on the mls rate-limiters?
That was too vendor specific for the draft.
I feel those are the hardest to
> come up with good values for. 2 Mbit of ICMP seems like a bit of overkill
> but the router can handle it so it's not really a big issue, I usually
> divide my ICMP in "trusted" ICMP and untrusted ICMP though.
>
Good point. It's all in how granular you go.
Rodney
> /Daniel
>
>
>
> On 3/23/10 4:01 PM, Buhrmaster, Gary wrote:
>>> Can there really *BE* a best practices for the 6500 when you either can't
>>> configure a drop action in your default, or you risk
> rate-limiting/dropping
>>> ARP gleans?
>>
>> Well, here is some guidance for CoPP, authored by
>> a number of people from Cisco and Juniper:
>>
>> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-02
>>
>> As always, YMWV.
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list