[c-nsp] Sup720 CoPP, limits on CPU performance

Gert Doering gert at greenie.muc.de
Thu Mar 25 03:59:01 EDT 2010 

Hi,

On Wed, Mar 24, 2010 at 10:52:13PM -0400, Rodney Dunn wrote:
> >What I want, as a router admin, is an easy way to tell the box "drop /
> >rate-limit all packets to all IP addresses configured on this box" - 
> >without
> >adverse effects on transit packets etc.
> 
> You want that on a per interface basis. Or a default for all with the 
> ability to "unapply" for say the uplinks?
>
> Think passive interface default followed by non-passive for the core side.

Mmmh, it's not so straight forward.

What we see (and what our customers complain about if it breaks) is:

 - customer pings its customer-facing IP address (v4+v6!)
 - ARP, of course
 - ICMPv6 ND etc.

so this is something that needs to work on customer-facing interfaces, with
some amount of rate-limiting ("customer can ping with 100 kbit/s, but no
more").  One interesting side-effect currently is that if customer "A"
fills the ICMP-ping-untrusted CoPP limit, customer "B" starts complaining
because they see ping packets to their interface get dropped...


On the backbone-facing interfaces, more traffic is needed (IGPs, LDP, BGP,
NMS ping to all customer- and backbone-facing IP addresses, etc.)

> We program a /32 fib receive entry for each ip address connected. I 
> don't see why we couldn't have a switch to point them all to a drop 
> adjacency if you want to blackhole all of it.

That's simple enough, but I don't think it would be satisfactory :-)

The idea of having an "interface default" (very restrictive set of rules)
and an "no passive-interface" thing is appealing, but having all /32s
"just dropped" will be too unflexible in practice.

> If that's what you want..wanna help me push for it? ;)

If we can refine that a bit more, happy to do so.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100325/94873767/attachment.bin>

More information about the cisco-nsp mailing list