[c-nsp] IP Options Drop

[Phil Mayers]

On 21/04/2014 11:47, Saku Ytti wrote:

> Unsure. But you do not any more need 'mls ratelimit' in PFC4, as ACL
> match has been greatly enchanched, IP options being one new
> classification available. So you could police IP options from your
> core looppbacks in separate policer to all other IP options.

Can you expand on this? Currently you can either do "platform 
rate-limit" for IP options or disable the RL and use the built-in / 
magic CPP class-map:

class-map match-all class-copp-options

(amongst others). But since that class-map has no "match" statement you 
can't re-use it's matching logic in another class-map. You could of 
course permit all higher up in the CPP policy-map from core loopbacks. 
Is this what you mean?

I note N7k w/ M-series linecards has a different class-map syntax which 
contains extra "match" statements for the exception status, and 
examination of the "sh plat blah tcam" commands suggests the hardware is 
capable of it, but it doesn't seem exposed to CLI at the moment except 
via the single "magic" class-map per exception type.

As per my recent email on the topic I've had some issues with CPP on 
sup2T causing crashes, so my fiddling has been limited. Issue is with 
TAC at the moment.

It might be worth noting that the default in sup2T seems to be platform 
RLs enabled for:

CEF receive secondary (whatever that is)
glean
ucast IP option
ICMP acl-drop & no-route
RPF failure
ACL VACL log

...and other exception types limited by the default CPP policy. However 
there is overlap as the default CPP policy also contains RPF & VACL log 
class-maps.

It's a shame sup2T CPP is just as mysterious as sup720 right now, with 
little to no documentation of the built-in class-map or implications of 
switching between RLs and CPP, or why the overlap is there (accident?).