[c-nsp] 6500 CoPP + IPv6 fragments

Bernhard Schmidt berni at birkenwald.de
Wed Jun 29 15:09:15 EDT 2011 

Phil Mayers <p.mayers at imperial.ac.uk> wrote:

>> I have a few 6500 Sup720/3BXL boxes running various releases of
>> 12.2(33)SXI and SXJ that seem to drop all IPv6 fragments in transit as
>> soon as CoPP is enabled. There are no CoPP drops logged. Even when I
>> remove all police lines from the policy-map the packets still get
>> dropped. As soon as I disble CoPP the packets get through.
>>
>> I know that IPv6 fragments are not well supported in PFC3B, but is this
>> sort of behaviour expected? Are there any workarounds?
>
> What does your CoPP policy look like?

It's longish, I'll cut a few duplicates to make it easier to read. 

ip access-list extended CoPP-critical-in
 remark Control plane critical traffic - inbound
permit ospf 169.254.0.0 0.0.0.255 any ! OSPFv2
 permit tcp 169.254.0.0 0.0.1.255 eq 179 169.254.0.0 0.0.1.255 ! iBGP
 permit tcp 169.254.0.0 0.0.1.255 169.254.0.0 0.0.1.255 eq 179 ! iBGP
 permit tcp 169.254.0.0 0.0.0.255 eq 646 169.254.0.0 0.0.0.255 ! LDP
 permit tcp 169.254.0.0 0.0.0.255 169.254.0.0 0.0.0.255 eq 646 ! LDP
 permit udp any host 224.0.0.2 eq 646                        ! LDP
 permit icmp host 169.254.1.36 any echo
 deny ip any any

ip access-list extended CoPP-important-in
 permit ip host 169.254.1.36 any
 permit tcp 169.254.0.0 0.0.1.255 any eq 22
 permit tcp 169.254.0.0 0.0.1.255 any eq 23
 permit udp host 169.254.1.224 eq ntp any
 permit udp host 169.254.1.225 eq ntp any
 permit tcp host 169.254.1.224 eq tacacs any established
 permit tcp host 169.254.1.225 eq tacacs any established
 permit udp 169.254.1.64 0.0.0.7 any eq snmp
 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
 permit udp any eq bootps any eq bootps
 <someeBGPsessions>
 deny ip any any

ip access-list extended CoPP-normal-in
 remark Control plane normal traffic - inbound
 remark ICMP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any parameter-problem
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny ip any any

ip access-list extended CoPP-reflexive-in
 remark Control plane traffic due to "reflect" filter statements
 deny ip any any

ip access-list extended CoPP-unwanted-in
 remark Control plane unwanted traffic - inbound
 permit udp any any eq 137 ! NETBIOS Name Service
 permit udp any any eq 631 ! CUPS Browsing
 permit udp any any eq 161
 permit tcp any any eq bgp
 permit tcp any eq bgp any
 deny ip any any

ip access-list extended CoPP-default-in
 remark Control plane default traffic - inbound
 permit ip any any

ipv6 access-list CoPP-critical-in-IPv6
 remark Control plane critical traffic - inbound IPv6
 permit 89 FE80::/32 any ! OSPFv3
 permit tcp 2001:DB8::/64 eq bgp 2001:DB8::/64 ! iBGP
 permit tcp 2001:DB8::/64 2001:DB8::/64 eq bgp ! iBGP
 <someeBGPsessions>
 permit udp FE80::/64 FF02::66/128 eq 2029        ! IPv6 HSRP
 permit udp FE80::/64 FF02::9/128 eq 521          ! RIPng
 deny ipv6 any any

ipv6 access-list CoPP-important-in-IPv6
 remark Control plane important traffic - inbound IPv6
 permit tcp 2001:DB8:0::/48 any eq 23
 permit tcp 2001:DB8:100:3::/64 any eq 23
 deny ipv6 any any

ipv6 access-list CoPP-normal-in-IPv6
 remark Control plane normal traffic - inbound IPv6
 permit icmp any any echo-request       ! Ping
 permit icmp any any nd-ns              ! Neighbor discovery
 permit icmp any any nd-na              ! Neighbor discovery
 deny ipv6 any any

ipv6 access-list CoPP-reflexive-in-IPv6
 remark Control plane normal traffic - inbound IPv6
 deny ipv6 any any

ipv6 access-list CoPP-unwanted-in-IPv6
 remark Control plane unwanted traffic - inbound IPv6
 permit 89 any any              ! OSPFv3
 deny any any

ipv6 access-list CoPP-default-in-IPv6
 remark Control plane default traffic - inbound IPv6
 permit ipv6 any any


class-map match-any CoPP-critical-in
  description things that should never ever be dropped (e.g.
routingprotocols)
  match access-group name CoPP-critical-in
  match access-group name CoPP-critical-in-IPv6
class-map match-any CoPP-important-in
  description Important stuff for administration
  match access-group name CoPP-important-in
  match access-group name CoPP-important-in-IPv6
class-map match-any CoPP-reflexive-in
  match access-group name CoPP-reflexive-in
  match access-group name CoPP-reflexive-in-IPv6
class-map match-any CoPP-normal-in
  match access-group name CoPP-normal-in
  match access-group name CoPP-normal-in-IPv6
class-map match-any CoPP-unwanted-in
  match access-group name CoPP-unwanted-in
  match access-group name CoPP-unwanted-in-IPv6
class-map match-any CoPP-arp-in
  match protocol arp
class-map match-any CoPP-default-in
  match access-group name CoPP-default-in
  match access-group name CoPP-default-in-IPv6

policy-map CoPP-in
  class CoPP-critical-in
  class CoPP-important-in
  class CoPP-reflexive-in
  class CoPP-normal-in
   police 128000 16000 16000 conform-action transmit exceed-action drop
  class CoPP-unwanted-in
   police 128000 16000 16000 conform-action drop exceed-action drop
  class CoPP-arp-in
   police 128000 16000 16000 conform-action transmit exceed-action drop
  class CoPP-default-in
   police 128000 16000 16000 conform-action transmit exceed-action drop


I've even tried adding "permit ipv6 any any" to CoPP-critical-in-IPv6 to
effectively disable CoPP for IPv6, but the packets still get dropped.

Bernhard

More information about the cisco-nsp mailing list