[c-nsp] ASR1k - Punt-Policing in conjunction with CoPP - aggregate and inbound policy to Control-plane

Randy randy_94108 at yahoo.com
Sun Jul 26 04:12:33 EDT 2015


Roland,

No I haven't tried re-naming that acl quite simply beacuse I have the exact-same-syntax on my other-border-routers(IOS) and it works as expected.

More importantly; to answer your other questions:

The appropriate-config (as applicable to me):
sh policy-map control-plane all
Control Plane

Service-policy input: PM-COPP

Class-map: CM-EBGP (match-all)
50181 packets, 18720618 bytes
5 minute offered rate 1000 bps
Match: access-group name MATCH-EBGP-TTL1

Class-map: CM-HSRP (match-all)
73090 packets, 6856644 bytes
5 minute offered rate 0000 bps
Match: access-group name MATCH-HSRP-TTL1

Class-map: CM-EIGRP (match-all)
77802 packets, 5912956 bytes
5 minute offered rate 0000 bps
Match: access-group name MATCH-EIGRP-TTL1

Class-map: CM-TTL0/1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name MATCH-TTL0/1
police:
rate 10 pps, burst 2 packets
conformed 0 packets, 0 bytes; actions:
drop
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 pps, exceeded 0 pps

Class-map: class-default (match-any)
614182 packets, 79584896 bytes
5 minute offered rate 2000 bps, drop rate 0000 bps
Match: any


Class-map config:
class-map match-all CM-EBGP
match access-group name MATCH-EBGP-TTL1
class-map match-all CM-HSRP
match access-group name MATCH-HSRP-TTL1
class-map match-all CM-TTL0/1
match access-group name MATCH-TTL0/1
class-map match-all CM-EIGRP
match access-group name MATCH-EIGRP-TTL1

access-list as applicable to class CM-TTL0/1
Extended IP access list MATCH-TTL0/1
10 permit ip any any ttl eq 0

20 permit ip any any ttl eq 1

policy-map PM-COPP
class CM-EBGP
class CM-HSRP
class CM-EIGRP
class CM-TTL0/1
police rate 10 pps conform-action drop  exceed-action drop


control-plane
service-policy input PM-COPP
having mentioned the above:
..and understanding that TTL<=0 have to be forwarded by ESP(forwarding-plane)/qfp-outbound to RP)); since this ASR 1K I am dealing with here; what am I doing wrong here? Unless of course this is a hw-policer bug?

I have already looked through the output of all possible :sh platform hardware and software qfp; 


Everything appears to be correctly-programmed in h/w; hits reported Zero.


./Randy













----- Original Message -----
From: Roland Dobbins <rdobbins at arbor.net>
To: Cisco-nsp <cisco-nsp at puck.nether.net>
Cc: 
Sent: Saturday, July 25, 2015 10:42 PM
Subject: Re: [c-nsp] ASR1k - Punt-Policing in conjunction with CoPP - aggregate and inbound policy to Control-plane


On 26 Jul 2015, at 0:19, Randy via cisco-nsp wrote:

> match access-group name MATCH-TTL0/1

Have you tried renaming the ACL?  Personally, I've never used or even 
seen a named ACL with a '/' in the name, maybe it's an input 
sanitization issue?  Worth a try, anyways.

> ip access-list extended MATCH-TTL0/1
> permit ip any any ttl eq 0

> permit ip any any ttl eq 1



permit ip any any ttl eq 0 1 should work, yes?

You don't show the class-map, policy-map, nor control-plane config 
stanzas, so it's difficult to know if there isn't a simple config error 
(everybody makes them at once point or another; I know I have).

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list