[c-nsp] CoPP on 7600s

Saku Ytti saku at ytti.fi
Mon Jun 29 08:03:02 EDT 2015


On (2015-06-29 10:00 +0100), James Bensley wrote:

Hey,

> Using MLS I can choose any of the following protocols...
> 7606(config)#mls qos protocol ?

These are not control-plane, they apply to transit as well. You don't want to
use them, unless you must (neigh-disco, arp)

> I can knock up a quick script to generate ACLs for CoPP but then every
> time a peer is added the ACL needs updating. Since this is a PE box
> BGP adds/moves/changes are fairly frequent. This will quickly reach
> the point where someone forgets to remove a peer or add them to the
> script etc. The KISS approach is always best but "any any eq 179" is
> just too simple IMO, perhaps a policer for connections with SYN flag
> set on TCP 179 and then another policer for all other traffic on TCP
> 179.

We've not had problems with it. It's just one line to add, to already quite
many lines when provisioning BGP peer. And no one forgets, because peer won't
come up without.
Forgetting extra lines there, does not appear catastrophic to me.

> OK I had read about it potentially stopping the evaluation against
> remaining ACLs so noted. Perhaps a better method here is to make
> another ACL that matches the traffic I definatly want to drop and in
> there have "permit icmp any any" which is less specific and then under
> my CoPP policy just have the drop action.

Let unwanted just to flow to last class of 'IP' which matches ACL 'any any'
and drops even conforming traffic.
Then leave class-default as last, and allow traffic there (non IP will hit it,
like CLNS)

-- 
  ++ytti


More information about the cisco-nsp mailing list