[c-nsp] N7k CoPP versus rate-limiters

Tóth András diosbejgli at gmail.com
Wed Mar 21 17:16:58 EDT 2012 

Hi Phil,

Sorry, my previous email deserves some clarification as it was a bit
confusing after I read it again.

OSPF packets sent to 224.0.0/24, will go through L3-control RL and not
CoPP. However, OSPF packets sent unicast will go through CoPP and not
L3-control RL.

There are only a few packets, such as DHCP and ARP which go through
both CoPP and rate-limiter.

There are some packets which CoPP cannot catch, and those need to be
rate-limited, and that is why there are rate-limiters.

As mentioned, you can use the "show hardware internal forwarding
rate-limiter usage" command to check what is handled by CoPP and what
is handled by rate-limiter, and what by both.

Best regards,
Andras


On Wed, Mar 21, 2012 at 9:58 PM, Tóth András <diosbejgli at gmail.com> wrote:
> Hi Phil,
>
> Thanks for clarifying what you meant. I understand the documentation
> might not be detailed enough. Let me give some further information.
>
> The feature "hardware rate-limiter" is independent from CoPP, but it
> complements CoPP in protecting the supervisor CPU from excessive
> inbound traffic. The traffic rate allowed by the hardware
> rate-limiters is configured globally and applied to each individual
> I/O module. The resulting allowed rate depends on the number of I/O
> modules in the system. CoPP provides more granular supervisor CPU
> protection by utilizing the modular quality-of-service CLI (MQC).
>
>
> CoPP is evaluated first, then the HW Rate-limiters afterwards. There
> are some rate-limiters which can be found both in CoPP and in HW RL.
> An example is OSPF control packets. The reason for this is multiple
> layers of security and some form of redundancy if CoPP is not enabled.
>
> ip access-list copp-system-p-acl-ospf
>    permit ospf any any
> class-map type control-plane match-any copp-system-p-class-critical
>    match access-group name copp-system-p-acl-ospf
>
> See the following documentation for a few more examples of HW RLs:
> http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_Series_NX-OS_Troubleshooting_Guide_--_Troubleshooting_Packet_Flow_Issues
>
>
> You can also use the following command to see how the RLs are mapped.
> With that you can also see what is and what isn't mapped to CoPP. As
> it's an internal command, it comes without the need of its output
> being customer friendly.
>
> show hardware internal forwarding rate-limiter usage
>
>
> I hope this helps a bit.
>
> Best regards,
> Andras
>
>
> On Wed, Mar 21, 2012 at 1:13 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> On 20/03/12 20:53, Tóth András wrote:
>>>
>>> Hi Phil,
>>>
>>> There are certain exceptions for packets being forwarded which are not
>>> handled by CoPP, these are covered by the HW Rate Limiters.
>>
>>
>> Andras,
>>
>> Thanks for the response. Unfortunately it didn't tell me anything I didn't
>> already know ;o)
>>
>> In fact, it appears to be largely cut&paste from the NX-OS docs, which I
>> have read.
>>
>> Perhaps I wasn't specific enough in my original email.
>>
>> I'm looking for comprehensive documentation on what types of packets are
>> considered to match the HW rate limiters, what types of packets match CoPP,
>> and how the system acts when >1 match occurs.
>>
>>
>> This kind of behaviour is not well documented for Sup720, but if you dig
>> through the Cisco site and archives of the list, you can find your info.
>>
>> It is even LESS well documented for N7k as far as I can tell. The HW RL have
>> uninformative names like "layer-3 control" and there is little or no
>> documentation about how they interact, other than tantalising hints like:
>>
>> """
>> Layer 3 control, multicast direct-connect, and ARP request packets are
>> controlled by the Layer 2 copy rate limiter. The first two types of packets
>> are also controlled by Layer 3 rate limiters, and the last two types are
>> also subject to control plane policing
>> """
>>
>> For example: which HW rate-limiters does an OSPF packet match, if any? In
>> which order do these rate-limiters match, and is it before or after CoPP?
>>
>> Or, the "receive" HW RL versus CoPP.
>>
>> Or, the "layer-3 ttl" HW RL versus the "match exception ttl-failure", or
>> again for "mtu".
>>
>> Hope that explains things in more details.
>>
>> Cheers,
>> Phil

More information about the cisco-nsp mailing list