[c-nsp] sup720 ICMP redirects "once per second"

Phil Mayers p.mayers at imperial.ac.uk
Mon Feb 11 13:07:16 EST 2013

On 11/02/13 17:42, Tóth András wrote:
> Hi Phil,
> As I understand you have disabled the MLS rate-limiter for redirects, so
> that should not cause throttling, but you can check with "sh ibc" to see
> the rate at which packets arrive to the CPU.

For clarity, I haven't disabled it; it's disabled by default. But yes, 
the MLS redirect limiter is disabled.

> With mls rate-limit redirect disabled, packets will be still subject to
> CoPP because they require CPU processing to generate a redirect, so
> perhaps your CoPP policy (probably class default) is limiting them? That
> can also cause packet loss between those stations if the traffic
> requires punting.

Good guess, but I don't think so; removing the control-plane service 
policy has no effect (and in any case, the packets which are generating 
the redirect would be hitting a class-map with a 10Mbit/sec rate-limit, 
which is too high to make 1 redirect/sec).

At this point, all the evidence suggests that:

  1. The box is forwarding the packets back out
  2. No more than once a second, the DFC/PFC is leaking a packet to the CPU
  3. This packet generates the redirect

I'm trying to determine what is going on in step 2; specifically, what's 
the "key" value for the rate-limit? Ingress interface, source IP, per 
forwarding engine?

It's worth noting that this behaviour is also undocumented; all the docs 
I've seen imply that redirects happen every packet. What if you had a 
(weird!) config where you didn't *want* the sup720 to forward the 
original packet, and always wanted to *just* send the redirect?

As you say, I *assume* the punts are subject to CoPP, but who knows?

> You could also check the "ip icmp rate-limit unreachable" command, might
> be applicable here too.

No effect sadly.

Very weird...

More information about the cisco-nsp mailing list