[c-nsp] N7k CoPP versus rate-limiters

Wed Mar 21 16:58:59 EDT 2012

Hi Phil,

Thanks for clarifying what you meant. I understand the documentation
might not be detailed enough. Let me give some further information.

The feature "hardware rate-limiter" is independent from CoPP, but it
complements CoPP in protecting the supervisor CPU from excessive
inbound traffic. The traffic rate allowed by the hardware
rate-limiters is configured globally and applied to each individual
I/O module. The resulting allowed rate depends on the number of I/O
modules in the system. CoPP provides more granular supervisor CPU
protection by utilizing the modular quality-of-service CLI (MQC).

CoPP is evaluated first, then the HW Rate-limiters afterwards. There
are some rate-limiters which can be found both in CoPP and in HW RL.
An example is OSPF control packets. The reason for this is multiple
layers of security and some form of redundancy if CoPP is not enabled.

ip access-list copp-system-p-acl-ospf
    permit ospf any any
class-map type control-plane match-any copp-system-p-class-critical
    match access-group name copp-system-p-acl-ospf

See the following documentation for a few more examples of HW RLs:
http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_Series_NX-OS_Troubleshooting_Guide_--_Troubleshooting_Packet_Flow_Issues

You can also use the following command to see how the RLs are mapped.
With that you can also see what is and what isn't mapped to CoPP. As
it's an internal command, it comes without the need of its output
being customer friendly.

show hardware internal forwarding rate-limiter usage

I hope this helps a bit.

Best regards,
Andras

On Wed, Mar 21, 2012 at 1:13 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 20/03/12 20:53, Tóth András wrote:
>>
>> Hi Phil,
>>
>> There are certain exceptions for packets being forwarded which are not
>> handled by CoPP, these are covered by the HW Rate Limiters.
>
>
> Andras,
>
> Thanks for the response. Unfortunately it didn't tell me anything I didn't
> already know ;o)
>
> In fact, it appears to be largely cut&paste from the NX-OS docs, which I
> have read.
>
> Perhaps I wasn't specific enough in my original email.
>
> I'm looking for comprehensive documentation on what types of packets are
> considered to match the HW rate limiters, what types of packets match CoPP,
> and how the system acts when >1 match occurs.
>
>
> This kind of behaviour is not well documented for Sup720, but if you dig
> through the Cisco site and archives of the list, you can find your info.
>
> It is even LESS well documented for N7k as far as I can tell. The HW RL have
> uninformative names like "layer-3 control" and there is little or no
> documentation about how they interact, other than tantalising hints like:
>
> """
> Layer 3 control, multicast direct-connect, and ARP request packets are
> controlled by the Layer 2 copy rate limiter. The first two types of packets
> are also controlled by Layer 3 rate limiters, and the last two types are
> also subject to control plane policing
> """
>
> For example: which HW rate-limiters does an OSPF packet match, if any? In
> which order do these rate-limiters match, and is it before or after CoPP?
>
> Or, the "receive" HW RL versus CoPP.
>
> Or, the "layer-3 ttl" HW RL versus the "match exception ttl-failure", or
> again for "mtu".
>
> Hope that explains things in more details.
>
> Cheers,
> Phil