North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Control Plane Policing

  • From: hjan
  • Date: Thu Jun 01 06:08:08 2006


Hello,
I have read cisco's doc about cpp and i've also read the good documentation written by John Kristoff about cpp
in wich are included some implementation example.
I do some test in our lab environment, a GSR 12410 with IOS 12.0(32)S2 but i'm not satisfied with the result.

Suppose this sample conf:

access-list 168 permit icmp any loopback0 0.0.0.0
access-list 169 permit any

class-map cp-icmp
match access-group 168
class-map cp-default
match access-group 169

policy-map cp-traffic
class cp-icmp
police 8000 conform-action transmit exceed-action drop
class cp-default
priority

control-plane
service-policy input cp-traffic


Then i ping from a host or a router the loopback0 and i noticed that only if i set an MTU or packet size > 1500,
in fact 1480 so with the standar ip header is always 1500, the policy take effect.
In fact if i issue the sh policy-map control-plane with small packet size all traffic seems to be matched
by the cp-default class:

Service-policy input: cp-traffic (225)

Class-map: cp-icmp (match-all) (4925921/1)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 168 (15210210)
police:
cir 8000 bps, bc 4470 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: cp-default (match-all) (14530241/2)
151 packets, 11967 bytes
5 minute offered rate 2000 bps, drop rate 0 bps
Match: access-group 3 (1872818)

Class-map: class-default (match-any) (9318433/0)
3149 packets, 333931 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: any (4397474)

Instead with a greater size:

Class-map: cp-icmp (match-all) (4925921/1)
22 packets, 16896 bytes
5 minute offered rate 2000 bps, drop rate 0 bps
Match: access-group 168 (15210210)
police:
cir 8000 bps, bc 4470 bytes
conformed 20 packets, 13888 bytes; actions:
transmit
exceeded 2 packets, 3008 bytes; actions:
drop
conformed 2000 bps, exceed 0 bps


Is there anyone with some idea or anyone that can share experience with me ?

Thanks
Gianluca
Italy