Cisco CoPP
Cisco CoPP Best practices
Cisco CoPP Cat6k
http://events.cisco.hu/2014/techtorial/doc/lavarga_v1.0.pdf
Hi All,
Thanks for all the valuable input!
I wrote up a CoPPs policy, and deployed it in a non-limiting fasion
and monitored for a while. Once happy we enabled the policers and its
working fine, however the software counters are going up, and it’s not
clear to me why that is.
Further down is the config, immediately below is partial the output
from an example 7600 (as the CoPPs policy is quite long):
abr1#show policy-map control-plane input
Control Plane
Service-policy input: Control-Plane-Filter-In
Hardware Counters:
class-map: CoPP-Limit-and-Permit-Critical (match-any)
Match: access-group name CoPP-Limit-and-Permit-BGP
Match: access-group name CoPP-Limit-and-Permit-BGPv6
Match: access-group name CoPP-Limit-and-Permit-RSVP
Match: access-group name CoPP-Limit-and-Permit-LDP
Match: access-group name CoPP-Limit-and-Permit-OSPF
Match: access-group name CoPP-Limit-and-Permit-OSPFv3
Match: access-group name CoPP-Limit-and-Permit-HSRP
Match: access-group name CoPP-Limit-and-Permit-BFD
police :
10000000 bps 312000 limit 312000 extended limit
Earl in slot 6 :
631028621 bytes
5 minute offered rate 86968 bps
aggregate-forwarded 631028621 bytes action: transmit
exceeded 0 bytes action: transmit
aggregate-forward 79648 bps exceed 0 bps
Software Counters:
Class-map: CoPP-Limit-and-Permit-Critical (match-any)
4646556 packets, 411683229 bytes
5 minute offered rate 54000 bps, drop rate 0000 bps
Match: access-group name CoPP-Limit-and-Permit-BGP
4035626 packets, 367873184 bytes
5 minute rate 48000 bps
Match: access-group name CoPP-Limit-and-Permit-BGPv6
2101 packets, 174550 bytes
5 minute rate 0 bps
Match: access-group name CoPP-Limit-and-Permit-RSVP
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name CoPP-Limit-and-Permit-LDP
173745 packets, 13108073 bytes
5 minute rate 1000 bps
Match: access-group name CoPP-Limit-and-Permit-OSPF
77045 packets, 8382206 bytes
5 minute rate 1000 bps
Match: access-group name CoPP-Limit-and-Permit-OSPFv3
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name CoPP-Limit-and-Permit-HSRP
358039 packets, 22145216 bytes
5 minute rate 2000 bps
Match: access-group name CoPP-Limit-and-Permit-BFD
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 10000000 bps, bc 312500 bytes, be 312500 bytes
conformed 4646556 packets, 411683229 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
drop
conformed 54000 bps, exceeded 0000 bps, violated 0000 bps
I’m not sure why traffic like BGP would match into both the hardware
and software policiers, when its such a simple match statement (I am
assuming that because the packet count under the software counters is
much lower than the ACL match, so the rest were policied by
hardware?):
I am trying to write a CoPP template for some 7600s running as PEs. It
> would be handy if they were running a similar CoPP configuration to
> that on our Juniper PEs we are going to be connecting these 7600’s too
> so we have consistent CoPP across that domain of equally exposed
It’s not going to be consistent, CoPP does work, but can’t really compete with over decade newer Trio kit.
> CoPP on 7600’s can’t police ARP but one can use the MLS HWRL for that.
> The HWRLs can also handle other protocols like HSRP and CoPP can’t
> police multicast in hardware, so do people usually police ARP and HSRP
> using the MLS HWRLs instead of CoPP?
Pretty sure HSRP works just fine. For multicast, you just need to allow all multicast in CoPP (otherwise it’s processed by software CoPPP, which you don’t
want) and then limit in mls rate-limit.
> The HWRLs support other protocols too that ARE supported in CoPP in
> hardware, so are there any other protocols that people prefer to
> police using the HWRLs?
Example please, I cannot recall overlap.
> With regards to ACLs, do people really have giant access lists of
> peers they allow BGP to/from? The 7600 I am piloting this on has over
Yes. Two, one low rate for SYN and one for other BGP, alas. However if your master configuration data is not network, but database, then it does not really matter how complex or simple the network configuration is, as it’s generated automatically from database.
If it’s pure CLI jockey network, it can be a challenge.
But even this is isn’t as good as it should be, as each neighbour would need to have their own policer, like Cisco LPTS or Juniper ddos-protection can do.
But this is one of those things where you’ll rather carry a risk than overcomplicate the configuration.
> any any eq 179″ as above then I feel I need to police, unless I can
> guarantee at the edge I have filtered out traffic on TCP 179 from
> everywhere it shouldn’t be coming from. What approach to others take
> here? Why?
I have opted for simplicity, I have CoPP class for internal signalling stuff, which is critical, another for important customer/peer stuff, like BGP, and another for unimportant stuff (ping, udp traceroute…)
> What do people do with unusual traffic like IP fragments? I am
> discarding them. Thoughts?
If you can get away discarding fragments hitting control-plane, do it. If not, police it.
> What about packets with IP options set, I am allowing record-route
> only and dropping the rest. Thoughts?
No on expects IP options to work in the Internet, there is mls command to police them, I would do that, even for transit
> ICMP, I’m just proposing to allow the follow:
> ip access-list extended CoPP-Limit-and-Permit-ICMP permit icmp any
> any echo permit icmp any any echo-request permit icmp any any
> unreachable permit icmp any any ttl-exceeded permit icmp any any
> packet-too-big deny icmp any any
>
> Again, any thoughts there?
Never use ‘deny’ in PFC3 CoPP ACLs. It’s not needed, and it may not be supported and may cause negative match and stop of evaluation (i.e. won’t fall to next classs).