[c-nsp] Sup720 CoPP, limits on CPU performance

Rodney Dunn rodunn at cisco.com
Wed Mar 24 22:52:13 EDT 2010



On 3/24/10 5:28 AM, Gert Doering wrote:
> Hi,
>
> On Wed, Mar 24, 2010 at 09:55:40AM +0200, Saku Ytti wrote:
>> On (2010-03-23 21:55 +0100), Gert Doering wrote:
>>
>>> "receive ACL" comes to mind.
>>>
>>> I've never understood why this is not available in all platforms.
>>
>> 6500 CoPP is superior to GSR rACL, rACL is done in LC CPU, punt path to LC
>> CPU is already easily dossable and LC CPU performance pukes out rather
>> easily. There is no way to make IOS GSR undossable, while with 6500 you can
>> make it undossable, as long as attacker is not in L2.
>
> That's implementation details.
>
> What I want, as a router admin, is an easy way to tell the box "drop /
> rate-limit all packets to all IP addresses configured on this box" - without
> adverse effects on transit packets etc.

You want that on a per interface basis. Or a default for all with the 
ability to "unapply" for say the uplinks?

Think passive interface default followed by non-passive for the core side.

We program a /32 fib receive entry for each ip address connected. I 
don't see why we couldn't have a switch to point them all to a drop 
adjacency if you want to blackhole all of it.

If that's what you want..wanna help me push for it? ;)


Rodney


>
> The nice thing about receive ACLs is that it automagically applies itself
> only to, well, "receive traffic".
>
> How a specific hardware maps this to the available hardware ACLs, hardware
> rate-limiting machinery, etc., is something Cisco needs to make work in an
> optimal way (and it will not work as well on all platforms) - but the key
> thing is that the admin does not have to enumerate all the boxes' IP
> addresses if the box already knows what its IP addresses are...
>
> (So in general, I agree with you, I just want a more fool-proof way to
> configure CoPP-drop-default in a way that has no surprising side-effects)
>
> gert
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list