[c-nsp] Sup720 CoPP, limits on CPU performance
Phil Mayers
p.mayers at imperial.ac.uk
Thu Mar 25 04:34:59 EDT 2010
On 03/25/2010 02:49 AM, Rodney Dunn wrote:
> Explain the glean to me again?
Summarising, for myself more than anything, I think what we discovered,
some of which was new knowledge for me (and to me, the interesting bit
of the thread), was:
On 6500/sup720, with the "mls glean" rate-limiter disabled, packets
which are gleaned are subject to the CoPP policy. This makes putting a
default deny against an "ip any any" ACL virtually impossible. You
really need to have an ACL containing every IP on the box, and I contend
some automation for IOS to build this for you (preferably in the form of
an object-group) is desireable in the general case, not just CoPP.
With the "mls glean" rate-limiter enabled, packets for glean are no
longer seen by CoPP. However, in some versions of the -3B, these packets
are then processed against the output acl of the input interface, which
is obviously tedious and highly counter-intuitive, and a potential
non-starter for some people, leading back in the direction of CoPP (see
above!)
It would be *great* to know exactly which hardware versions of the -3B
suffer from that problem and in what circumstances.
For those running 6500s and participating in the thread, does this seem
right?
More information about the cisco-nsp
mailing list