[c-nsp] CoPP on 7600s

[James Bensley]

Hi All,

I am trying to write a CoPP template for some 7600s running as PEs. It
would be handy if they were running a similar CoPP configuration to
that on our Juniper PEs we are going to be connecting these 7600's too
so we have consistent CoPP across that domain of equally exposed
control-planes (although they obviously won’t be exactly the same). I
have written the below based on some of our Juniper PEs but I haven't
used some of these features on Cisco before and can't find a full
working config on the Internet for 7600 CoPP bizarrely! Can anyone
share a working example with me (off list if needs be) or give some
input on the below?

CoPP on 7600's can't police ARP but one can use the MLS HWRL for that.
The HWRLs can also handle other protocols like HSRP and CoPP can't
police multicast in hardware, so do people usually police ARP and HSRP
using the MLS HWRLs instead of CoPP?

The HWRLs support other protocols too that ARE supported in CoPP in
hardware, so are there any other protocols that people prefer to
police using the HWRLs?

With regards to ACLs, do people really have giant access lists of
peers they allow BGP to/from? The 7600 I am piloting this on has over
325 BGP peers (a mix of eBGP downstream customers, eBGP upstreams and
iBGP peers and route-reflectors) which is quite a few less than the
lab routers, and its always growing/changing. I assume that people
manage that as best they can through iACLs or similar? At present I'm
proposed config like "permit tcp any any eq 179" and then to use iACLs
and edge filtering.

With critical protocols (BGP, IGP etc) I have seen in the Cisco
example they police them but always use "conform-action transmit
exceed-action transmit violate-action transmit" so they aren't
policing at all really. It obvious that you don't really want to drop
any routing updates or keepalives for example but if I use "permit tcp
any any eq 179" as above then I feel I need to police, unless I can
guarantee at the edge I have filtered out traffic on TCP 179 from
everywhere it shouldn't be coming from. What approach to others take
here? Why?

What do people do with unusual traffic like IP fragments? I am
discarding them. Thoughts?

What about packets with IP options set, I am allowing record-route
only and dropping the rest. Thoughts?

ICMP, I'm just proposing to allow the follow:
ip access-list extended CoPP-Limit-and-Permit-ICMP
 permit icmp any any echo
 permit icmp any any echo-request
 permit icmp any any unreachable
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 deny icmp any any

Again, any thoughts there?

If someone can clear up some of these queries I will tidy and post up
the config I have so far.

Cheers,
James.