[c-nsp] 6500 CoPP + IPv6 fragments

Bernhard Schmidt berni at birkenwald.de
Wed Jun 29 15:31:36 EDT 2011


Grzegorz Janoszka <Grzegorz at Janoszka.pl> wrote:
> On 29-06-11 17:04, Bernhard Schmidt wrote:
>> I have a few 6500 Sup720/3BXL boxes running various releases of
>> 12.2(33)SXI and SXJ that seem to drop all IPv6 fragments in transit as
>> soon as CoPP is enabled. There are no CoPP drops logged. Even when I
>> remove all police lines from the policy-map the packets still get
>> dropped. As soon as I disble CoPP the packets get through.
> We have had the same issue for last ~week, however our v6 copp has been
> quite good for last couple of months. We also saw transit traffic being
> dropped. Had to remove the default copp class-map to get things working.

Is your CoPP similarly structured to mine?

> When did you install v6 copp? Have you had the issue since the very
> beginning or just recently?

I have been running this or a similar configuration in two networks for
... uh ...  several years I think. One of them is quiet regarding IPv6
traffic, but the other one has a few thousand heavy IPv6 users in it. I
only noticed it because

a) Netalyzr (http://netalyzr.icsi.berkeley.edu/) complains about
fragments being dropped
b) I started using DNSSEC-signed SSHFP DNS records by default with an
IPv6 DNS resolver, where the response is >1500 bytes and thus fragmented

I'm not aware of any other impact, ever.

Bernhard



More information about the cisco-nsp mailing list