[c-nsp] CoPP on 7600s

Saku Ytti saku at ytti.fi
Wed Jul 1 02:44:09 EDT 2015 

On (2015-06-30 22:06 +0000), Mack McBride wrote:

Hey,

> I have never run into a problem with using deny in a CoPP ACL.
> It ends that specific class processing if the deny matches.
> The next class will still be processed properly (or at least I have never run into a problem).

In 2006-06-20 I opened CSCse90832 titled 'explicit deny in a CoPP ACL allows
traffic to skip later match statemets'. It has this:

--
Workaround:
Use only one match statement per class-map and create multiple class-maps.

Do not use the deny statement in an ACL that will be used as a part of a
class-map that has more than one match statement.
--

It's terminated with no fixed versions.


I recall also discussion how it's not supported. And at any rate, there is no
use case for it. As self-documenting policy I too like to explicitly add
implicit ultimate rules, but in this case it bit me.
I had to open about dozen DDTS's on CoPP when I deployed it in 2006. But I am
extremely happy how Cisco handled it, I had access to clued people in
escalation TAC and issues were resolved in timely manner.

> We break out classes for pretty much everything we can.
> Complex CoPP tends to work better and need fewer major changes.

We've not changed the design since 2006 and it's ran on hundreds of 7600. I
know it's not bullet proof, as some compromises are made for simplicity but I
accept that, as 7600 cannot be protected perfectly from directly connected
attackers.

> As for HWRL, we use glean and mtu-failure.
> Use of other rate limiters can cause the CoPP to be bypassed on ingress
> And all CoPP to be done in software on the RP.

Our HWRL are full, and I'd like to use more:

mls rate-limit multicast ipv4 fib-miss 2000 10
mls rate-limit multicast ipv4 non-rpf 10 10
mls rate-limit multicast ipv4 igmp 2000 10
mls rate-limit multicast ipv4 partial 2000 10
mls rate-limit unicast cef glean 200 50 
mls rate-limit unicast ip options 10 10
mls rate-limit unicast ip rpf-failure 10 10
mls rate-limit unicast ip icmp redirect 0
mls rate-limit unicast ip icmp unreachable no-route 10 10
mls rate-limit unicast ip icmp unreachable acl-drop 10 10
mls rate-limit unicast ip errors 10 10
mls rate-limit all ttl-failure 200 50
mls rate-limit all mtu-failure 10 10
mls rate-limit layer2 pdu 20 20

I could probably get rid of 'icmp redirect' as all interfaces have redirects
disabled, that would free me another slot for things I need.

> One important thing to remember with CoPP is to baseline before you
> implement dropping traffic.  That way you can verify what you are doing
> will not affect normal operations.

You can also redirect dropped traffic out to an analyzer port, just to monitor
early on what exactly is being dropped, so you can react.

-- 
  ++ytti

More information about the cisco-nsp mailing list