[c-nsp] All multicast punting to CPU on 6500

Robert Williams Robert at CustodianDC.com
Sun Dec 16 05:59:23 EST 2012 

Hi there,

Thanks for getting back to me, I'm afraid I'm not quite following you - so to try to answer your question here is a copy of the current CoPP on the test device.

This is just a test set we use, not the production one, however, the problem is present even with this cut-down set:

access-list 111 permit icmp any any fragments
access-list 111 permit udp any any fragments
access-list 111 permit tcp any any fragments
access-list 111 permit ip any any fragments

access-list 112 permit tcp 10.1.2.0 0.0.0.255 any eq 22
access-list 112 permit udp 10.1.2.0 0.0.0.255 any eq snmp
access-list 112 permit tcp 10.1.2.0 0.0.0.255 any established

access-list 113 permit tcp any any eq telnet
access-list 113 permit tcp any any eq 22
access-list 113 permit udp any any eq snmp
access-list 113 permit tcp any any eq ftp
access-list 113 permit tcp any any eq ftp-data
access-list 113 permit udp any any eq syslog

access-list 114 permit ip any host 224.0.0.2
access-list 114 permit ip any host 224.0.0.18
access-list 114 permit ip any host 224.0.0.102

access-list 115 permit icmp any any echo
access-list 115 permit icmp any any echo-reply
access-list 115 permit icmp any any ttl-exceeded
access-list 115 permit icmp any any packet-too-big
access-list 115 permit icmp any any port-unreachable
access-list 115 permit icmp any any unreachable

access-list 116 permit icmp any any

access-list 117 permit igmp any any

access-list 118 permit tcp any any
access-list 118 permit udp any any
access-list 118 permit icmp any any
access-list 118 permit ip any any

class-map match-all CoPP-malicious
  match access-group 111
class-map match-all CoPP-positive-mgmt
  match access-group 112
class-map match-all CoPP-negative-mgmt
  match access-group 113
class-map match-all CoPP-hsrp-vrrp
  match access-group 114
class-map match-all CoPP-positive-icmp
  match access-group 115
class-map match-all CoPP-negative-icmp
  match access-group 116
class-map match-all CoPP-other
  match access-group 117
class-map match-all CoPP-catch-all
  match access-group 118
class-map match-all CoPP-arp
  match protocol arp

policy-map CoPP
  class CoPP-malicious
   police 32000 4470 4470    conform-action drop     exceed-action drop
  class CoPP-hsrp-vrrp
   police 256000 50000 50000    conform-action transmit     exceed-action drop
  class CoPP-positive-mgmt
   police 256000 50000 50000    conform-action transmit     exceed-action drop
  class CoPP-positive-icmp
   police 256000 50000 50000    conform-action transmit     exceed-action drop
  class CoPP-negative-mgmt
   police 32000 4470 4470    conform-action drop     exceed-action drop
  class CoPP-negative-icmp
   police 32000 4470 4470    conform-action drop     exceed-action drop
  class CoPP-arp
   police 256000 50000 50000    conform-action transmit     exceed-action drop
  class CoPP-catch-all
   police 64000 4470 4470    conform-action drop     exceed-action drop
  class class-default
   police 1000000 1000000 1000000    conform-action transmit     exceed-action drop

Very sorry I can't directly answer your question but hopefully the above has the info you are asking about?

Many thanks!




Robert Williams
Custodian Data Centre
Email: Robert at CustodianDC.com
http://www.CustodianDC.com


Robert Williams
Backline / Operations Team
Custodian DataCentre
tel: +44 (0)1622 230382
email: Robert at CustodianDC.com
http://www.custodiandc.com/disclaimer.txt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: 16 December 2012 10:31
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] All multicast punting to CPU on 6500

On (2012-12-16 09:31 +0000), Robert Williams wrote:

> The 6500 has a pretty substantial CoPP on it, matching every required protocol separately and ending with a catch-all (match ip any any) which denies anything else. None of the counters on the CoPP are incrementing for this traffic, which I believe is due to it being multicast and thus not supported by CoPP.

Do you allow all mcast in CoPP? HW CoPP does not support mcast so it's punted, if your software CoPP does not allow mcast it's dropped, which means hardware shortcuts can't be programmed.

--
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list