Control Plane Policing

• Previous message (by thread): BCP for Abuse Desk
• Next message (by thread): Control Plane Policing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,
I have read cisco's doc about cpp and i've also read the good 
documentation written by John Kristoff about cpp
in wich are included some implementation example.
I do some test in our lab environment, a GSR 12410 with IOS 12.0(32)S2 
but i'm not satisfied with the result.

Suppose this sample conf:

access-list 168 permit icmp any loopback0 0.0.0.0
access-list 169 permit any

class-map cp-icmp
 match access-group 168
class-map cp-default
 match access-group 169
 
policy-map cp-traffic
 class cp-icmp
  police 8000 conform-action transmit exceed-action drop
 class cp-default
  priority

control-plane
 service-policy input cp-traffic


Then i ping from a host or a router the loopback0 and i noticed that 
only if i set an MTU or packet size > 1500,
in fact 1480 so with the standar ip header is always 1500, the policy 
take effect.
In fact if i issue the sh policy-map control-plane with small packet 
size all traffic seems to be matched
by the cp-default class:
 
 Service-policy input: cp-traffic (225)

    Class-map: cp-icmp (match-all) (4925921/1)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 168 (15210210)
      police:
          cir 8000 bps, bc 4470 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: cp-default (match-all) (14530241/2)
      151 packets, 11967 bytes
      5 minute offered rate 2000 bps, drop rate 0 bps
      Match: access-group 3 (1872818)

    Class-map: class-default (match-any) (9318433/0)
      3149 packets, 333931 bytes
      5 minute offered rate 1000 bps, drop rate 0 bps
      Match: any  (4397474)

Instead with a greater size:

Class-map: cp-icmp (match-all) (4925921/1)
      22 packets, 16896 bytes
      5 minute offered rate 2000 bps, drop rate 0 bps
      Match: access-group 168 (15210210)
      police:
          cir 8000 bps, bc 4470 bytes
        conformed 20 packets, 13888 bytes; actions:
          transmit
        exceeded 2 packets, 3008 bytes; actions:
          drop
        conformed 2000 bps, exceed 0 bps


Is there anyone with some idea or anyone that can share experience with me ?

Thanks
Gianluca
Italy

• Previous message (by thread): BCP for Abuse Desk
• Next message (by thread): Control Plane Policing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]