[c-nsp] CoPP on 7600s
Saku Ytti
saku at ytti.fi
Wed Jul 1 02:44:09 EDT 2015
On (2015-06-30 22:06 +0000), Mack McBride wrote:
Hey,
> I have never run into a problem with using deny in a CoPP ACL.
> It ends that specific class processing if the deny matches.
> The next class will still be processed properly (or at least I have never run into a problem).
In 2006-06-20 I opened CSCse90832 titled 'explicit deny in a CoPP ACL allows
traffic to skip later match statemets'. It has this:
--
Workaround:
Use only one match statement per class-map and create multiple class-maps.
Do not use the deny statement in an ACL that will be used as a part of a
class-map that has more than one match statement.
--
It's terminated with no fixed versions.
I recall also discussion how it's not supported. And at any rate, there is no
use case for it. As self-documenting policy I too like to explicitly add
implicit ultimate rules, but in this case it bit me.
I had to open about dozen DDTS's on CoPP when I deployed it in 2006. But I am
extremely happy how Cisco handled it, I had access to clued people in
escalation TAC and issues were resolved in timely manner.
> We break out classes for pretty much everything we can.
> Complex CoPP tends to work better and need fewer major changes.
We've not changed the design since 2006 and it's ran on hundreds of 7600. I
know it's not bullet proof, as some compromises are made for simplicity but I
accept that, as 7600 cannot be protected perfectly from directly connected
attackers.
> As for HWRL, we use glean and mtu-failure.
> Use of other rate limiters can cause the CoPP to be bypassed on ingress
> And all CoPP to be done in software on the RP.
Our HWRL are full, and I'd like to use more:
mls rate-limit multicast ipv4 fib-miss 2000 10
mls rate-limit multicast ipv4 non-rpf 10 10
mls rate-limit multicast ipv4 igmp 2000 10
mls rate-limit multicast ipv4 partial 2000 10
mls rate-limit unicast cef glean 200 50
mls rate-limit unicast ip options 10 10
mls rate-limit unicast ip rpf-failure 10 10
mls rate-limit unicast ip icmp redirect 0
mls rate-limit unicast ip icmp unreachable no-route 10 10
mls rate-limit unicast ip icmp unreachable acl-drop 10 10
mls rate-limit unicast ip errors 10 10
mls rate-limit all ttl-failure 200 50
mls rate-limit all mtu-failure 10 10
mls rate-limit layer2 pdu 20 20
I could probably get rid of 'icmp redirect' as all interfaces have redirects
disabled, that would free me another slot for things I need.
> One important thing to remember with CoPP is to baseline before you
> implement dropping traffic. That way you can verify what you are doing
> will not affect normal operations.
You can also redirect dropped traffic out to an analyzer port, just to monitor
early on what exactly is being dropped, so you can react.
--
++ytti
More information about the cisco-nsp
mailing list