Re: [c-nsp] Sup720 CoPP, limits on CPU performance

Wed, 24 Mar 2010 19:57:47 -0700 


On 3/24/10 5:28 AM, Gert Doering wrote:

Hi,

On Wed, Mar 24, 2010 at 09:55:40AM +0200, Saku Ytti wrote:

On (2010-03-23 21:55 +0100), Gert Doering wrote:


"receive ACL" comes to mind.

I've never understood why this is not available in all platforms.


6500 CoPP is superior to GSR rACL, rACL is done in LC CPU, punt path to LC
CPU is already easily dossable and LC CPU performance pukes out rather
easily. There is no way to make IOS GSR undossable, while with 6500 you can
make it undossable, as long as attacker is not in L2.


That's implementation details.

What I want, as a router admin, is an easy way to tell the box "drop /
rate-limit all packets to all IP addresses configured on this box" - without
adverse effects on transit packets etc.



You want that on a per interface basis. Or a default for all with the 
ability to "unapply" for say the uplinks?


Think passive interface default followed by non-passive for the core side.


We program a /32 fib receive entry for each ip address connected. I 
don't see why we couldn't have a switch to point them all to a drop 
adjacency if you want to blackhole all of it.


If that's what you want..wanna help me push for it? ;)


Rodney




The nice thing about receive ACLs is that it automagically applies itself
only to, well, "receive traffic".

How a specific hardware maps this to the available hardware ACLs, hardware
rate-limiting machinery, etc., is something Cisco needs to make work in an
optimal way (and it will not work as well on all platforms) - but the key
thing is that the admin does not have to enumerate all the boxes' IP
addresses if the box already knows what its IP addresses are...

(So in general, I agree with you, I just want a more fool-proof way to
configure CoPP-drop-default in a way that has no surprising side-effects)

gert



_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





























					Reply via email to