[c-nsp] CoPP on 7600s
Brian Turnbow
b.turnbow at twt.it
Fri Nov 27 03:37:00 EST 2015
HI James
<snip>
>
> I'm not sure why traffic like BGP would match into both the hardware and
> software policiers, when its such a simple match statement (I am assuming
> that because the packet count under the software counters is much lower than
> the ACL match, so the rest were policied by
> hardware?):
>
>
> abr1#show access-lists CoPP-Limit-and-Permit-BGP Extended IP access list
> CoPP-Limit-and-Permit-BGP
> 10 permit tcp any eq bgp any (271268749 matches)
> 20 permit tcp any any eq bgp (265404502 matches)
>
>
> Can anyony explain this? And what one can do to stop this?
My understanding is that the 6500/7600 copp passes first through the hardware limits and then through software.
So if it is limited by the hardware it will not reach the software policing.
The hardware limit is done on the pfc/dfc and then the traffic is forwarded to the cpu where software limits are applied.
There is also a relationship to hardware copp and mls rate limiters. The mls limiters bypass the hardware copp as they are special treatment.
There was a diagram of it in one of the copp configuration guides.
HTH
Brian
>
> This isn't causing any major issue, CPU usage averages 14% however I don't
> see much point on software based CoPP, seems like an oxymoron to me.
>
> Cheers,
> James.
>
>
>
> abr1#show run | s policy-map Control-Plane-Filter-In policy-map Control-
> Plane-Filter-In class CoPP-Limit-and-Permit-Critical
> police cir 10000000 bc 312500 be 312500
> conform-action transmit
> exceed-action transmit
> violate-action drop
>
> abr1#show run | s class-map match-any CoPP-Limit-and-Permit-Critical class-
> map match-any CoPP-Limit-and-Permit-Critical match access-group name
> CoPP-Limit-and-Permit-BGP match access-group name CoPP-Limit-and-Permit-
> BGPv6 match access-group name CoPP-Limit-and-Permit-RSVP match access-
> group name CoPP-Limit-and-Permit-LDP match access-group name CoPP-
> Limit-and-Permit-OSPF match access-group name CoPP-Limit-and-Permit-
> OSPFv3 match access-group name CoPP-Limit-and-Permit-HSRP match
> access-group name CoPP-Limit-and-Permit-BFD
>
> abr1#show access-lists CoPP-Limit-and-Permit-BGP Extended IP access list
> CoPP-Limit-and-Permit-BGP
> 10 permit tcp any eq bgp any (271268749 matches)
> 20 permit tcp any any eq bgp (265404502 matches)
>
> abr1#show access-list CoPP-Limit-and-Permit-BGPv6
> IPv6 access list CoPP-Limit-and-Permit-BGPv6
> permit tcp any eq bgp any (289479 matches) sequence 10
> permit tcp any any eq bgp (3 matches) sequence 20
>
> abr1#show access-list CoPP-Limit-and-Permit-RSVP Extended IP access list
> CoPP-Limit-and-Permit-RSVP
> 10 permit 46 any any (16834 matches)
>
> abr1#show access-list CoPP-Limit-and-Permit-LDP Extended IP access list CoPP-
> Limit-and-Permit-LDP
> 10 permit tcp any any eq 646 (319014 matches)
> 20 permit tcp any eq 646 any (2210932 matches)
> 30 permit udp any any eq 646 (21460077 matches)
> 40 permit udp any eq 646 any (230 matches)
>
> abr1#show access-list CoPP-Limit-and-Permit-OSPF Extended IP access list
> CoPP-Limit-and-Permit-OSPF
> 10 permit ospf any any (10542225 matches)
>
> abr1#show access-list CoPP-Limit-and-Permit-OSPFv3
> IPv6 access list CoPP-Limit-and-Permit-OSPFv3
> permit 89 any any sequence 10
>
> abr1#show access-list CoPP-Limit-and-Permit-HSRP Extended IP access list
> CoPP-Limit-and-Permit-HSRP
> 10 permit udp host 224.0.0.2 eq 1985 any
> 20 permit udp any host 224.0.0.2 eq 1985 (48840573 matches)
> 30 permit udp host 224.0.0.102 eq 1985 any
> 40 permit udp any host 224.0.0.102 eq 1985
>
> abr1#show access-list CoPP-Limit-and-Permit-BFD Extended IP access list CoPP-
> Limit-and-Permit-BFD
> 10 permit udp any any eq 3784 (17 matches)
> 20 permit udp any eq 3784 any (43 matches)
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list