[c-nsp] Sup720 CoPP, limits on CPU performance
Rodney Dunn
rodunn at cisco.com
Thu Mar 25 16:20:08 EDT 2010
On 3/25/10 1:42 PM, Tim Durack wrote:
> On Thu, Mar 25, 2010 at 12:22 PM, Rodney Dunn<rodunn at cisco.com> wrote:
>> Yep...that's it:
>>
>> Release-note
>> ============
>>
>> When a packet is destined to an next hop that doesn't already
>> have an ARP entry, the packet needs to be punted from the hardware
>> datapath up to the CPU. When the glean adjacency rate-limiter is
>> enabled, the egress security ACL (and egress QoS) of the ingress
>> interface is applied on these punted packets.
>>
>> The current workaround is to either relax the egress security ACLs
>> of ports facing PCs/servers (ports facing only routers are not a
>> problem since routing protocols guarantee that ARP entries always
>> exist for routers), or disable the glean adjacency rate-limiter.
>
> But it's fixed, right?
Yes. I didn't realize how long it had been so my memory isn't totally
gone yet. ;)
Rodney
>
> CSCed75920 says:
>
> Fixed-In
> 12.2(17d)SXB1
> 12.2(18)SXD
>
> (I really want to police all ip at the end of my CoPP policy, and the
> mls glean rate-limiter appears to allow me to do that.)
>
More information about the cisco-nsp
mailing list