[c-nsp] N7k CoPP not MPLS-aware?

Phil Mayers p.mayers at imperial.ac.uk
Fri Nov 15 08:34:05 EST 2013


On 15/11/13 12:02, Saku Ytti wrote:
> On (2013-11-15 09:48 +0000), Phil Mayers wrote:
>
>> Has anyone else seen this? Our N7k CoPP policy seems to be letting
>> packets through which are arriving MPLS-labelled. In particular,
>> this means it's completely ineffective at protecting the CPU in an
>> L3VPN, since all packets inside the VPN arrive labelled.
>
> Alas this is the rule, 7600 having working CoPP is the exception.
>
> In 2006-03-16 I opened TAC case 603198067 complaining how 'explicit-null'
> breaks CoPP in GSR, VXR, NSE100, 5400, result was that it was expected
> behaviour.

Great. Doubly helpful, since VTY ACLs are broken on the version of NX-OS 
we're on :o(

(In case anyone wants to be helpful and suggest iACLs, do me a favour 
and move onto the next thread; they don't help in this specific case for 
reasons I have no interest in discussing)


More information about the cisco-nsp mailing list