[c-nsp] CoPP - matching protocol ARP plus an input-interface

[Chuck Church]

All,

 

                Working on 871 router at a customer site.  Unknown ARP flood
coming from customer LAN was crushing router CPU, guessing about 2800
pkt/sec.  A service policy applied to control plane just matching ARP does
what expected, but when I tried to limit it to just customer-side ARP by
matching protocol ARP plus input-int VL1:

 

Service-policy input: CoPP

 

    Class-map: ARP (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: protocol arp

      Match: input-interface Vlan1

      police:

          cir 8000 bps, bc 1500 bytes

        conformed 0 packets, 0 bytes; actions:

          transmit

        exceeded 0 packets, 0 bytes; actions:

          drop

        conformed 0 bps, exceed 0 bps

 

    Class-map: class-default (match-any)

      863 packets, 132033 bytes

      5 minute offered rate 21000 bps, drop rate 0 bps

      Match: any

 

I don't get any matches.  If I remove the match input-int, the counters
again start increasing for ARP.  Is it a known issue that CoPP can't be
combined with an input-int, or maybe just ARP combined with that?  Reading
various URLS such as:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html

 

didn't exactly say that, although it mentioned ARP being processed at
CEF-exception interface.   Does that explain it?

 

 

Thanks,

 

Chuck