[c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
"Rolf Hanßen"
nsp at rhanssen.de
Thu Jun 27 12:36:15 EDT 2013
Hi,
we recently installed CoPP on several boxes (Sup720, Sup2T).
We have a lot of "allow ..." whitelist rules and end with a
class dropping everything:
class class-copp-any-ip
police cir 128000 bc 1000 conform-action drop exceed-action drop
violate-action drop
class-map match-any class-copp-any-ip
match access-group name acl-copp-any-ip
ip access-list extended acl-copp-any-ip
permit ip any any
This works fine so far but we now found out that this results in a certain
problem:
Host A with IP x.x.x.x is connected to the Cisco and has no ARP entry yet.
If somebody from outside starts a connection to host A (TCP/UDP), the
packet is dropped, the Cisco does not learn the MAC of host A.
I guess this happens because without an existing arp entry the packet
needs to be sent to the RP and is dropped by CoPP.
I changed the last rule to "conform-action transmit" to allow a small
amount of any traffic.
This works but is not what we intented.
Is there a way to match that "destination IP = connected IP without entry
in arp table" traffic ? I found no such option in the syntax.
Any other option, maybe bypass CoPP for that traffic and rate-limit it
another way ?
kind regards
Rolf
More information about the cisco-nsp
mailing list