[c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
"Rolf Hanßen"
nsp at rhanssen.de
Fri Jun 28 11:43:53 EDT 2013
Hello,
there is no explicit config (but listed by "sh policy-map control-plane"),
I now added:
class class-default
police cir 512000 bc 1000 conform-action transmit exceed-action
transmit violate-action transmit
Something matches the default class but ARP still does not work.
Also tried "mls qos protocol ARP police" without success.
But what makes me crazy:
The affected Sup720 has 12.2(33)SXH
I now tried to reproduce on other devices:
Sup2T: no ARP issue, the limiter is enabled by default:
Sup720 #2 (Version 15.1(2)S): "mls rate-limit unicast cef glean" solves
the arp issue
Sup720 #3 (version 12.2(33)SXH2): it also works with "mls rate-limit
unicast cef glean" configured
Any further ideas except hardware failure, buggy software or "try
rebooting it" ?
regards
Rolf
> On (2013-06-28 15:05 +0200), "Rolf Hanßen" wrote:
>
>> no egress ACL.
>> On the box I tested there is no ACL bound to any interface at all, only
>> some in copp classes and one for the line vty.
>
> Do you have 'class-default' configured?
>
> I have penultimate rule 'CoPP-IP' which drops, like yours, everything
> matching to 'ip any any' ACL.
> After that I have class-default, where I permit (I need it at least for
> ISIS). If not configured, it's permit as well.
>
> I also have:
> mls rate-limit unicast cef glean 200 50
> mls qos protocol ARP police 2000000 62000
>
> And no ARP issues (beware if you're switching also that the ARP police
> affects transit ARP also)
>
> --
> ++ytti
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list