[c-nsp] CoPP on 7600s

Mack McBride mack.mcbride at viawest.com
Mon Nov 30 11:57:59 EST 2015 

This is essentially correct.
Some traffic will hit the mls policers if for example no adjacency is found.
If something matches an mls policer then the hardware CoPP will not apply.
Each blade with a DFC will police separately then it will forward to the software policer on the RP.
The PFC will handle blades with CFCs but the same logic applies.

With BGP in particular you want to be careful.
You should make at least three groups.
One for packets with flags, one for packets with just ack that matches expected traffic,
And one for packets with just ack from unexpected sources.  You can divide flag packets
Up with expected and unexpected sources as well.

Mack McBride | Network Architect | ViaWest, Inc.
O: 720.891.2502 | mack.mcbride at viawest.com | www.viawest.com | LinkedIn | Twitter | YouTube


-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Turnbow
Sent: Friday, November 27, 2015 1:37 AM
To: 'James Bensley'; 'cisco-nsp at puck.nether.net'
Subject: Re: [c-nsp] CoPP on 7600s

HI James

<snip>
>
> I'm not sure why traffic like BGP would match into both the hardware
> and software policiers, when its such a simple match statement (I am
> assuming that because the packet count under the software counters is
> much lower than the ACL match, so the rest were policied by
> hardware?):
>
>
> abr1#show access-lists CoPP-Limit-and-Permit-BGP Extended IP access
> list CoPP-Limit-and-Permit-BGP
>     10 permit tcp any eq bgp any (271268749 matches)
>     20 permit tcp any any eq bgp (265404502 matches)
>
>
> Can anyony explain this? And what one can do to stop this?

My understanding is that the 6500/7600 copp passes first through the hardware limits and then through  software.
So if it is limited by the hardware it will not reach the software policing.
The hardware limit is done on the pfc/dfc and then the traffic is forwarded to the cpu  where software limits are applied.
There is also a relationship to hardware copp and mls rate limiters. The mls limiters bypass the hardware copp as they are special treatment.
There was a diagram of it in one of the copp configuration guides.


HTH
Brian


>
> This isn't causing any major issue, CPU usage averages 14% however I
> don't see much point on software based CoPP, seems like an oxymoron to me.
>
> Cheers,
> James.
>
>
>
> abr1#show run | s policy-map Control-Plane-Filter-In policy-map
> Control- Plane-Filter-In  class CoPP-Limit-and-Permit-Critical
>   police cir 10000000 bc 312500 be 312500
>    conform-action transmit
>    exceed-action transmit
>    violate-action drop
>
> abr1#show run | s class-map match-any CoPP-Limit-and-Permit-Critical
> class- map match-any CoPP-Limit-and-Permit-Critical  match
> access-group name CoPP-Limit-and-Permit-BGP  match access-group name
> CoPP-Limit-and-Permit-
> BGPv6  match access-group name CoPP-Limit-and-Permit-RSVP  match
> access- group name CoPP-Limit-and-Permit-LDP  match access-group name
> CoPP- Limit-and-Permit-OSPF  match access-group name
> CoPP-Limit-and-Permit-
> OSPFv3  match access-group name CoPP-Limit-and-Permit-HSRP  match
> access-group name CoPP-Limit-and-Permit-BFD
>
> abr1#show access-lists CoPP-Limit-and-Permit-BGP Extended IP access
> list CoPP-Limit-and-Permit-BGP
>     10 permit tcp any eq bgp any (271268749 matches)
>     20 permit tcp any any eq bgp (265404502 matches)
>
> abr1#show access-list CoPP-Limit-and-Permit-BGPv6
> IPv6 access list CoPP-Limit-and-Permit-BGPv6
>     permit tcp any  eq bgp any (289479 matches) sequence 10
>     permit tcp any any  eq bgp (3 matches) sequence 20
>
> abr1#show access-list CoPP-Limit-and-Permit-RSVP Extended IP access
> list CoPP-Limit-and-Permit-RSVP
>     10 permit 46 any any (16834 matches)
>
> abr1#show access-list CoPP-Limit-and-Permit-LDP Extended IP access
> list CoPP- Limit-and-Permit-LDP
>     10 permit tcp any any eq 646 (319014 matches)
>     20 permit tcp any eq 646 any (2210932 matches)
>     30 permit udp any any eq 646 (21460077 matches)
>     40 permit udp any eq 646 any (230 matches)
>
> abr1#show access-list CoPP-Limit-and-Permit-OSPF Extended IP access
> list CoPP-Limit-and-Permit-OSPF
>     10 permit ospf any any (10542225 matches)
>
> abr1#show access-list CoPP-Limit-and-Permit-OSPFv3
> IPv6 access list CoPP-Limit-and-Permit-OSPFv3
>     permit 89 any any sequence 10
>
> abr1#show access-list CoPP-Limit-and-Permit-HSRP Extended IP access
> list CoPP-Limit-and-Permit-HSRP
>     10 permit udp host 224.0.0.2 eq 1985 any
>     20 permit udp any host 224.0.0.2 eq 1985 (48840573 matches)
>     30 permit udp host 224.0.0.102 eq 1985 any
>     40 permit udp any host 224.0.0.102 eq 1985
>
> abr1#show access-list CoPP-Limit-and-Permit-BFD Extended IP access
> list CoPP- Limit-and-Permit-BFD
>     10 permit udp any any eq 3784 (17 matches)
>     20 permit udp any eq 3784 any (43 matches)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.

More information about the cisco-nsp mailing list