Phil Mayers <[email protected]> wrote: >> I have a few 6500 Sup720/3BXL boxes running various releases of >> 12.2(33)SXI and SXJ that seem to drop all IPv6 fragments in transit as >> soon as CoPP is enabled. There are no CoPP drops logged. Even when I >> remove all police lines from the policy-map the packets still get >> dropped. As soon as I disble CoPP the packets get through. >> >> I know that IPv6 fragments are not well supported in PFC3B, but is this >> sort of behaviour expected? Are there any workarounds? > > What does your CoPP policy look like?
It's longish, I'll cut a few duplicates to make it easier to read. ip access-list extended CoPP-critical-in remark Control plane critical traffic - inbound permit ospf 169.254.0.0 0.0.0.255 any ! OSPFv2 permit tcp 169.254.0.0 0.0.1.255 eq 179 169.254.0.0 0.0.1.255 ! iBGP permit tcp 169.254.0.0 0.0.1.255 169.254.0.0 0.0.1.255 eq 179 ! iBGP permit tcp 169.254.0.0 0.0.0.255 eq 646 169.254.0.0 0.0.0.255 ! LDP permit tcp 169.254.0.0 0.0.0.255 169.254.0.0 0.0.0.255 eq 646 ! LDP permit udp any host 224.0.0.2 eq 646 ! LDP permit icmp host 169.254.1.36 any echo deny ip any any ip access-list extended CoPP-important-in permit ip host 169.254.1.36 any permit tcp 169.254.0.0 0.0.1.255 any eq 22 permit tcp 169.254.0.0 0.0.1.255 any eq 23 permit udp host 169.254.1.224 eq ntp any permit udp host 169.254.1.225 eq ntp any permit tcp host 169.254.1.224 eq tacacs any established permit tcp host 169.254.1.225 eq tacacs any established permit udp 169.254.1.64 0.0.0.7 any eq snmp permit udp host 0.0.0.0 host 255.255.255.255 eq bootps permit udp any eq bootps any eq bootps <someeBGPsessions> deny ip any any ip access-list extended CoPP-normal-in remark Control plane normal traffic - inbound remark ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any parameter-problem permit icmp any any time-exceeded permit icmp any any unreachable deny ip any any ip access-list extended CoPP-reflexive-in remark Control plane traffic due to "reflect" filter statements deny ip any any ip access-list extended CoPP-unwanted-in remark Control plane unwanted traffic - inbound permit udp any any eq 137 ! NETBIOS Name Service permit udp any any eq 631 ! CUPS Browsing permit udp any any eq 161 permit tcp any any eq bgp permit tcp any eq bgp any deny ip any any ip access-list extended CoPP-default-in remark Control plane default traffic - inbound permit ip any any ipv6 access-list CoPP-critical-in-IPv6 remark Control plane critical traffic - inbound IPv6 permit 89 FE80::/32 any ! OSPFv3 permit tcp 2001:DB8::/64 eq bgp 2001:DB8::/64 ! iBGP permit tcp 2001:DB8::/64 2001:DB8::/64 eq bgp ! iBGP <someeBGPsessions> permit udp FE80::/64 FF02::66/128 eq 2029 ! IPv6 HSRP permit udp FE80::/64 FF02::9/128 eq 521 ! RIPng deny ipv6 any any ipv6 access-list CoPP-important-in-IPv6 remark Control plane important traffic - inbound IPv6 permit tcp 2001:DB8:0::/48 any eq 23 permit tcp 2001:DB8:100:3::/64 any eq 23 deny ipv6 any any ipv6 access-list CoPP-normal-in-IPv6 remark Control plane normal traffic - inbound IPv6 permit icmp any any echo-request ! Ping permit icmp any any nd-ns ! Neighbor discovery permit icmp any any nd-na ! Neighbor discovery deny ipv6 any any ipv6 access-list CoPP-reflexive-in-IPv6 remark Control plane normal traffic - inbound IPv6 deny ipv6 any any ipv6 access-list CoPP-unwanted-in-IPv6 remark Control plane unwanted traffic - inbound IPv6 permit 89 any any ! OSPFv3 deny any any ipv6 access-list CoPP-default-in-IPv6 remark Control plane default traffic - inbound IPv6 permit ipv6 any any class-map match-any CoPP-critical-in description things that should never ever be dropped (e.g. routingprotocols) match access-group name CoPP-critical-in match access-group name CoPP-critical-in-IPv6 class-map match-any CoPP-important-in description Important stuff for administration match access-group name CoPP-important-in match access-group name CoPP-important-in-IPv6 class-map match-any CoPP-reflexive-in match access-group name CoPP-reflexive-in match access-group name CoPP-reflexive-in-IPv6 class-map match-any CoPP-normal-in match access-group name CoPP-normal-in match access-group name CoPP-normal-in-IPv6 class-map match-any CoPP-unwanted-in match access-group name CoPP-unwanted-in match access-group name CoPP-unwanted-in-IPv6 class-map match-any CoPP-arp-in match protocol arp class-map match-any CoPP-default-in match access-group name CoPP-default-in match access-group name CoPP-default-in-IPv6 policy-map CoPP-in class CoPP-critical-in class CoPP-important-in class CoPP-reflexive-in class CoPP-normal-in police 128000 16000 16000 conform-action transmit exceed-action drop class CoPP-unwanted-in police 128000 16000 16000 conform-action drop exceed-action drop class CoPP-arp-in police 128000 16000 16000 conform-action transmit exceed-action drop class CoPP-default-in police 128000 16000 16000 conform-action transmit exceed-action drop I've even tried adding "permit ipv6 any any" to CoPP-critical-in-IPv6 to effectively disable CoPP for IPv6, but the packets still get dropped. Bernhard _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
