[c-nsp] sup720 ICMP redirects "once per second"
Phil Mayers
p.mayers at imperial.ac.uk
Mon Feb 11 13:07:16 EST 2013
On 11/02/13 17:42, Tóth András wrote:
> Hi Phil,
>
> As I understand you have disabled the MLS rate-limiter for redirects, so
> that should not cause throttling, but you can check with "sh ibc" to see
> the rate at which packets arrive to the CPU.
For clarity, I haven't disabled it; it's disabled by default. But yes,
the MLS redirect limiter is disabled.
>
> With mls rate-limit redirect disabled, packets will be still subject to
> CoPP because they require CPU processing to generate a redirect, so
> perhaps your CoPP policy (probably class default) is limiting them? That
> can also cause packet loss between those stations if the traffic
> requires punting.
Good guess, but I don't think so; removing the control-plane service
policy has no effect (and in any case, the packets which are generating
the redirect would be hitting a class-map with a 10Mbit/sec rate-limit,
which is too high to make 1 redirect/sec).
At this point, all the evidence suggests that:
1. The box is forwarding the packets back out
2. No more than once a second, the DFC/PFC is leaking a packet to the CPU
3. This packet generates the redirect
I'm trying to determine what is going on in step 2; specifically, what's
the "key" value for the rate-limit? Ingress interface, source IP, per
forwarding engine?
It's worth noting that this behaviour is also undocumented; all the docs
I've seen imply that redirects happen every packet. What if you had a
(weird!) config where you didn't *want* the sup720 to forward the
original packet, and always wanted to *just* send the redirect?
As you say, I *assume* the punts are subject to CoPP, but who knows?
> You could also check the "ip icmp rate-limit unreachable" command, might
> be applicable here too.
No effect sadly.
Very weird...
More information about the cisco-nsp
mailing list