[c-nsp] CoPP - matching protocol ARP plus an input-interface

Thu Sep 12 15:54:48 EDT 2013

All,

                Working on 871 router at a customer site.  Unknown ARP flood
coming from customer LAN was crushing router CPU, guessing about 2800
pkt/sec.  A service policy applied to control plane just matching ARP does
what expected, but when I tried to limit it to just customer-side ARP by
matching protocol ARP plus input-int VL1:

Service-policy input: CoPP

    Class-map: ARP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol arp
      Match: input-interface Vlan1
      police:
          cir 8000 bps, bc 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      863 packets, 132033 bytes
      5 minute offered rate 21000 bps, drop rate 0 bps
      Match: any

I don’t get any matches.  If I remove the match input-int, the counters
again start increasing for ARP.  Is it a known issue that CoPP can’t be
combined with an input-int, or maybe just ARP combined with that?  Reading
various URLS such as:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html

didn’t exactly say that, although it mentioned ARP being processed at
CEF-exception interface.   Does that explain it?

Thanks,

Chuck