[c-nsp] BFD bypassing CoPP on 6500
Antonio Soares
amsoares at netcabo.pt
Mon May 5 07:20:53 EDT 2014
Did you find anything else in the meanwhile ? What you found is potentially catastrophic...
Thanks.
Regards,
Antonio Soares, CCIE #18473 (RS/SP)
amsoares at netcabo.pt
http://www.ccie18473.net
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Williams
Sent: domingo, 4 de Maio de 2014 17:20
To: 'cisco-nsp at puck.nether.net'
Subject: [c-nsp] BFD bypassing CoPP on 6500
Hi,
I can’t seem to find any relevant documentation on this so I’m hoping someone may know. I’ve identified that BFD traffic appears to bypass the CoPP in some respects (platform is 6500/Sup720/15.1SY).
The relevant test config is:
class-map match-any CoPP-bfd
match access-group name V4-CoPP-bfd
ip access-list extended V4-CoPP-bfd
permit udp 10.10.0.0 0.0.255.255 gt 49151 any eq 3784 permit udp 10.10.0.0 0.0.255.255 gt 49151 any eq 3785
<within control-plane policy>
class CoPP-bfd
police 32000 100000 100000 conform-action transmit exceed-action drop
So for example, if you send 50mbit/s of BFD traffic to it, then the output of “show policy-map control-plane input class CoPP-bfd” correctly shows that there is 50mbit/s of traffic being matched (in hardware) and that only 32,000bps of it is being forwarded. All looks fine, however, the CPU grinds to a halt, even though the exceed-action is set to ‘drop’ so nothing more than a tiny 32,000 should get through. I’ve confirmed it is indeed all getting through as you can see it in a CPU span session.
Also, the class-default in the control-plane policy is set to conform-action drop as well. So how is it even getting through?
Interestingly, if you set the conform-action to drop on class CoPP-bfd then it still hits 100% CPU. Although strangely if you _do_ set CoPP-bfd to conform-drop then also the genuine BFD ‘real’ sessions suddenly stop working. So the ‘drop’ feature does have some impact still, somehow…
This is in a lab setup with little else running on the boxes and I’m able to test anything if anyone has any ideas why this is occurring.
#remote command switch show tcam interface vlan 1013 qos type2 ip
* Global Defaults shared
------------------------------------------------------
QOS Results:
A - Aggregate Policing F - Microflow Policing
M - Mark T - Trust
U - Untrust
------------------------------------------------------
MAU udp 10.10.0.0 0.0.255.255 gt 49151 any eq 3784
MAU udp 10.10.0.0 0.0.255.255 gt 49151 any eq 3785
#remote command switch show tcam interface vlan 1013 qos type2 ip detail
Interface: 1013 label: 3 lookup_type: 2
protocol: IP packet-type: 0
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
|T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
V 35925 0.0.0.0 10.10.0.0 P=3784 P>49151 ------ 17 ---- 1 0 -- --- 0-0 <-
M 35927 0.0.0.0 255.255.0.0 65535 ------ 255 --X- 1 0 <-
R rslt: 503 <-
V 35926 0.0.0.0 10.10.0.0 P=3785 P>49151 ------ 17 ---- 1 0 -- --- 0-0 <-
M 35927 0.0.0.0 255.255.0.0 65535 ------ 255 --X- 1 0 <-
R rslt: 503 <-
Since it’s just UDP on a certain port I don’t see how/why this would be treated any differently from any other type of traffic going to the CPU. I know there are various restrictions and limitations (like ARP, IP Options etc.) but this is nothing ‘special’ – just UDP traffic - or at least I thought so?
So what am I missing here? Cheers!
Robert Williams
Custodian Data Centre
Email: Robert at CustodianDC.com
http://www.CustodianDC.com
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list