[c-nsp] All multicast punting to CPU on 6500

Robert Williams Robert at CustodianDC.com
Sun Dec 16 07:20:04 EST 2012 

Hi, sorry we crossed over, all policies are now updated as you suggested:

ip access-list extended CoPP-Multicast
 permit ip any 224.0.0.0 15.255.255.255

<the rest are all now "match-any" as well>

policy-map CoPP
  class CoPP-Multicast
   police 32000 4470 4470    conform-action drop     exceed-action drop
  class CoPP-malicious
   police 32000 4470 4470    conform-action transmit     exceed-action drop
  class CoPP-hsrp-vrrp
   police 100000000 5000000 5000000    conform-action transmit     exceed-action drop
  class CoPP-positive-mgmt
   police 100000000 5000000 5000000    conform-action transmit     exceed-action drop
  class CoPP-positive-icmp
   police 256000 50000 50000    conform-action transmit     exceed-action drop
  class CoPP-negative-mgmt
   police 32000 4470 4470    conform-action drop     exceed-action drop
  class CoPP-negative-icmp
   police 32000 4470 4470    conform-action drop     exceed-action drop
  class CoPP-catch-all
   police 64000 4470 4470    conform-action transmit     exceed-action drop
  class class-default
   police 1000000 1000000 1000000    conform-action transmit     exceed-action drop

And the switch shows:

------------------------------------------------------
QOS Results:
A - Aggregate Policing       F - Microflow Policing
M - Mark                     T - Trust
U - Untrust
------------------------------------------------------
    AT     ip any 224.0.0.0 15.255.255.255
    MAU    ip any any fragments
    MAU    icmp any any range 8 65288
    MAU    icmp any any
    MAU    icmp any any range 3 65283
    MAU    icmp any any eq 11
    MAU    tcp 10.1.2.0 0.0.0.255 any established match-any
    MAU    tcp 10.1.2.0 0.0.0.255 any eq 22
    MAU    udp 10.1.2.0 0.0.0.255 any eq snmp
    AT     icmp any any
    AT     udp any eq domain any
    AT     tcp any any eq telnet
    AT     tcp any any eq 22
    AT     udp any any eq snmp
    AT     tcp any any eq ftp
    AT     tcp any any eq ftp-data
    AT     udp any any eq syslog
    MAU    ip any any
    T      ip any any

However, a quick re-test reveals that all the traffic is still hitting the RP CPU as before I'm afraid.

Thanks for the pointer on arp though - I'll do some cleanup on some other configs later :)

Any other ideas?




Robert Williams
Custodian Data Centre
Email: Robert at CustodianDC.com
http://www.CustodianDC.com


Robert Williams
Backline / Operations Team
Custodian DataCentre
tel: +44 (0)1622 230382
email: Robert at CustodianDC.com
http://www.custodiandc.com/disclaimer.txt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: 16 December 2012 11:51
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] All multicast punting to CPU on 6500

Allow this in CoPP rules

ip access-list extended CoPP-MULTICAST
 permit ip any 224.0.0.0 15.255.255.255

Also 'match-all' is not supported by PFC3, even though Cisco documents use it. But in this config it does not matter, as you don't have many matches.
Only 'match-any' is supported.

You can't match on ARP in CoPP either, not supported.

I would also never use numbered ACLs, only named.

I wonder if the rules are even in hardware, due to the ARP match. You might want to check

show vlan internal  usage | i Control Plane Protection

Check the VLAN number, then:

remote command switch show tcam interface vlan VLAN_NUMBER qos type2 ip

To see what actually is in hardware.
--
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list