[c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jun 28 08:28:50 EDT 2013
On 28/06/13 13:14, "Rolf Hanßen" wrote:
> Hello,
>
> thanks for the info but that does not help in my case, just tried out.
>
> The link confirms:
> "if traffic matches a special-case rate limiter, it is never compared
> against the hardware CoPP policy. It will only be compared against the
> software CoPP policy"
Hmph. That's odd. I thought we had come to the conclusion that MLS
rate-limiters circumvented *all* CoPP, hardware & software.
Do you have egress ACLs? Have you read this:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#wp1036022
"""
If you enable the CEF rate limiters, the following behaviors occur (if
the behavior that is listed is unacceptable, disable the CEF rate limiters):
•If a packet hits a glean/receive adjacency, the packet may be dropped
instead of being sent to the software if there is an output ACL on the
input VLAN and the matched entry result is deny.
"""
More information about the cisco-nsp
mailing list