North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Control Plane Policing

  • From: John Kristoff
  • Date: Thu Jun 01 09:27:41 2006

On Thu, 01 Jun 2006 12:07:00 +0200
hjan <[email protected]> wrote:

> I have read cisco's doc about cpp and i've also read the good 
> documentation written by John Kristoff about cpp
> in wich are included some implementation example.

The cisco-nsp mailing list is probably a better place for anything
specific to Cisco's CoPP, but I'll quickly respond here, because the
issue is general enough and others might be interested.

You might be interested in reviewing a brief talk I did at the last
Joint Techs.  I went over some of the experiences and lessons learned:


Note, the title is Tripping on QoS, but there is CoPP stuff in there.
Unfortunately I don't think the session was audio or video recorded.
A key point I'd like to make since I originally wrote that page is
that it is quite difficult, and probably not the best approach, to use
a control plane policy where you end up shovelling any unmatched stuff
into a general rate limiter.  Phil Rosenthal probably has the right
idea to specifically pass things you know you want, maybe rate limiting
them, but then have a default deny.

> access-list 168 permit icmp any loopback0

That doesn't look right.  You do not need to specify a loopback
address.  By definition, the control plane policy will apply to
any router interface, so perhaps you meant to say something like

  access-list 168 permit icmp any any

Although I'm not sure I'd recommend doing what you're doing except
for testing purposes.  You have to think very carefully about what
could happen when you start rate limiting protocols generally.  For
example, if something ICMP floods your router, will your network
availability monitoring system's traffic get starved out?