Control Plane Policing
John Kristoff
jtk at ultradns.net
Thu Jun 1 13:26:26 UTC 2006
On Thu, 01 Jun 2006 12:07:00 +0200
hjan <hjan at libero.it> wrote:
> I have read cisco's doc about cpp and i've also read the good
> documentation written by John Kristoff about cpp
> in wich are included some implementation example.
The cisco-nsp mailing list is probably a better place for anything
specific to Cisco's CoPP, but I'll quickly respond here, because the
issue is general enough and others might be interested.
You might be interested in reviewing a brief talk I did at the last
Joint Techs. I went over some of the experiences and lessons learned:
<http://events.internet2.edu/2006/jt-albuquerque/sessionDetails.cfm?session=2444&event=243>
Note, the title is Tripping on QoS, but there is CoPP stuff in there.
Unfortunately I don't think the session was audio or video recorded.
A key point I'd like to make since I originally wrote that page is
that it is quite difficult, and probably not the best approach, to use
a control plane policy where you end up shovelling any unmatched stuff
into a general rate limiter. Phil Rosenthal probably has the right
idea to specifically pass things you know you want, maybe rate limiting
them, but then have a default deny.
> access-list 168 permit icmp any loopback0 0.0.0.0
That doesn't look right. You do not need to specify a loopback
address. By definition, the control plane policy will apply to
any router interface, so perhaps you meant to say something like
this:
access-list 168 permit icmp any any
Although I'm not sure I'd recommend doing what you're doing except
for testing purposes. You have to think very carefully about what
could happen when you start rate limiting protocols generally. For
example, if something ICMP floods your router, will your network
availability monitoring system's traffic get starved out?
John
More information about the NANOG
mailing list