[c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

"Rolf Hanßen" nsp at rhanssen.de
Thu Jun 27 12:36:15 EDT 2013


Hi,

we recently installed CoPP on several boxes (Sup720, Sup2T).
We have a lot of "allow ..." whitelist rules and end with a
class dropping everything:

  class class-copp-any-ip
   police cir 128000 bc 1000  conform-action drop  exceed-action drop 
violate-action drop

class-map match-any class-copp-any-ip
  match access-group name acl-copp-any-ip
ip access-list extended acl-copp-any-ip
 permit ip any any

This works fine so far but we now found out that this results in a certain
problem:
Host A with IP x.x.x.x is connected to the Cisco and has no ARP entry yet.
If somebody from outside starts a connection to host A (TCP/UDP), the
packet is dropped, the Cisco does not learn the MAC of host A.

I guess this happens because without an existing arp entry the packet
needs to be sent to the RP and is dropped by CoPP.

I changed the last rule to "conform-action transmit" to allow a small
amount of any traffic.
This works but is not what we intented.

Is there a way to match that "destination IP = connected IP without entry
in arp table" traffic ? I found no such option in the syntax.
Any other option, maybe bypass CoPP for that traffic and rate-limit it
another way ?

kind regards
Rolf




More information about the cisco-nsp mailing list