[c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Peter Rathlev
peter at rathlev.dk
Thu Jun 27 12:53:32 EDT 2013
On Thu, 2013-06-27 at 18:36 +0200, "Rolf Hanßen" wrote:
> Host A with IP x.x.x.x is connected to the Cisco and has no ARP entry
> yet. If somebody from outside starts a connection to host A (TCP/UDP),
> the packet is dropped, the Cisco does not learn the MAC of host A.
>
> I guess this happens because without an existing arp entry the packet
> needs to be sent to the RP and is dropped by CoPP.
>
> I changed the last rule to "conform-action transmit" to allow a small
> amount of any traffic.
> This works but is not what we intented.
>
> Is there a way to match that "destination IP = connected IP without
> entry in arp table" traffic ? I found no such option in the syntax.
You can use the "mls rate-limit unicast cef glean" hardware
rate-limiter. Packets matched by a HWRL are not subjected to CoPP.
--
Peter
More information about the cisco-nsp
mailing list