[c-nsp] ASR1k - Punt-Policing in conjunction with CoPP - aggregate and inbound policy to Control-plane
Randy
randy_94108 at yahoo.com
Sat Jul 25 20:15:36 EDT 2015
..to clarify:
-IOS-XE is a fuck-up; not to mention the nightmare called "ios-xr"
----- Original Message -----
From: Randy <randy_94108 at yahoo.com>
To: Randy <randy_94108 at yahoo.com>; Cisco-nsp <cisco-nsp at puck.nether.net>
Cc:
Sent: Saturday, July 25, 2015 5:11 PM
Subject: Re: [c-nsp] ASR1k - Punt-Policing in conjunction with CoPP - aggregate and inbound policy to Control-plane
Replying to own message:
Tried with: platform punt-policer 29 10
and corresponding copp service-policy(inbound) to reflect
policy-map PM-COPP
class CM-EBGP
class CM-HSRP
class CM-EIGRP
class CM-TTL0/1
police rate 10 pps conform-action drop exceed-action drop
No Luck! Same garbage: ttl-0/1 packets are still gettting punted to RP by FP - ESP/QFP
AnyOne from "Cisco" here that can shed some light wrt behavior of IOS-XE as applicable to the above?
Being a little-gratuituous given the circumstances:
"IOS-XR" the "latest&greatest *fuckup* by Cisco??
I have no doubt!
./Randy
----- Original Message -----
From: Randy via cisco-nsp <cisco-nsp at puck.nether.net>
To: Cisco-nsp <cisco-nsp at puck.nether.net>
Cc:
Sent: Saturday, July 25, 2015 3:19 PM
Subject: [c-nsp] ASR1k - Punt-Policing in conjunction with CoPP - aggregate and inbound policy to Control-plane
Platform: asr1001 - asr1001-universalk9.03.10.02.S.153-3.S2-ext.bin
Goal: Drop all TTL<=1 (exceptions for eBGP, EIGRP, HSRP - since these apply in my case are working as desired)other-packets at ESP( qfp-outbound) before getting to RP are not working despite having service-policy applied-inbound to control-plane.
Result:
As evinced by traceroute working and all qfp stats reporting zero drops, obvious that the following:
policy-map PM-COPP
class CM-EBGP
class CM-HSRP
class CM-EIGRP
class CM-TTL0/1
police 8000 conform-action drop exceed-action drop
is *not* working for CM-TTL0/1
class-map match-all CM-TTL0/1
match access-group name MATCH-TTL0/1
ip access-list extended MATCH-TTL0/1
permit ip any any ttl eq 0
permit ip any any ttl eq 1
Question:
Am I correct in my *understanding* that I need to enable in global-config:
platform punt-policer 29 10 ?
(29 is the is the id for punt-cause-name:RP handled ICMP and 10 would be the pps); and then reconfig my policy-map for class:
CM-TTL0/1
to something like "police rate 10 conform drop exceed drop?
Regards,
./Randy
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list