[c-nsp] N7k CoPP versus rate-limiters

Charles Spurgeon c.spurgeon at mail.utexas.edu
Thu Mar 22 14:55:25 EDT 2012


On Thu, Mar 22, 2012 at 11:25:25AM +0000, Phil Mayers wrote:
> On 21/03/12 21:16, T?th Andr?s wrote:
> >Hi Phil,
> >
> >Sorry, my previous email deserves some clarification as it was a bit
> >confusing after I read it again.
> >
> >OSPF packets sent to 224.0.0/24, will go through L3-control RL and not
> >CoPP. However, OSPF packets sent unicast will go through CoPP and not
> >L3-control RL.
> 
> Thanks, that's very helpful; it gives insight into the "split" between 
> the two.
> 
> >
> >There are only a few packets, such as DHCP and ARP which go through
> >both CoPP and rate-limiter.
> 
> Presumably the "receive" rate-limiter is a special case o
> 
> >
> >There are some packets which CoPP cannot catch, and those need to be
> >rate-limited, and that is why there are rate-limiters.
> >
> >As mentioned, you can use the "show hardware internal forwarding
> >rate-limiter usage" command to check what is handled by CoPP and what
> >is handled by rate-limiter, and what by both.
> 
> This is an extremely useful bit of info; thanks very much for your 
> excellent reply!

BTW, there's a new "IP Glean Throttling" command as of 5.1 code which
is an ARP throttle. It is not enabled by default. We have enabled this
on our 7010s with "hardware ip glean throttle"
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_ip.html#wp1197271

I took these notes about the new ARP throttle while on a conf call
a year ago, so this is not official Cisco info, just what I
thought I heard:
--------------------
A new throttle rate limiter has shipped in v5.1 code that installs a
/32 CEF FIB drop adjacency and automatically black holes traffic being
sent to an unoccupied address in an attempt to DoS the router CPU.

this is a vuln that they are dealing with by installing the auto-drop
adjacency and ceasing to ARP for the address for 30 seconds after the
first ARP. This feature must be enabled, not on by default. There are
knobs to adjust timers and the number of /32 drop adjacencies that are
allowed to avoid TCAM exhaustion from randomized src addrs in an
attack of this type.
--------------------

Also, on a related topic of which packets may get dropped on their way
through the router, beware the IDS packet checking system which is
enabled by default and likes to find reasons to drop packets. Since
our preference is to deliver packets vs dropping them, we have
disabled a number of these:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_ip.html#wp1197179

-Charles

Charles E. Spurgeon / UTnet
UT Austin ITS / Networking
c.spurgeon at its.utexas.edu / 512.475.9265


More information about the cisco-nsp mailing list