Hi,

My question is to do with the ACL filtering that is performed on the PFC, since i'm testing the use of CoPP.

As an example:

- My machine (130.194.50.1) is connected to a switchport on a 6509, running a SUP720, PFC3B

- My machine is configured on VLAN50, where the subnet 130.194.50.0/24 is homed on this 6509.

- An appropriate ACL (in and out) is applied to the SVI for VLAN50.

- There is also an ACL applied to the VTY lines on the router, allowing only SSH connections from certain hosts. Note, for this test case my machine is not permited to SSH to the router.

TEST:

- If i try to SSH to my default gateway (130.194.50.254), i cannot, so this verifies that the ACLs attached to the VTY lines are working as expected.

However, if i generate a huge amount of UDP traffic (in the order of 5Mbps) from my machine to my gateway 130.194.50.254, port 22, i notice that the CPU load increases from 5% to about 20-30 within a matter of seconds.

(Note, I'm running this test just as a test case to see how useful Control Plane Policing will be to us)

Noticing this, my question is:

- When a packet enters the PFC to be L3 switches, shouldn't the ACLs (which govern what devices are permitted access to the router on port 22) have firstly stopped my flood of data to port 22, whether it be UDP or TCP? Thus preventing the CPU from reaching 30%.

- I would have expected that the VTY ACLs would have stopped my flood in hardware - am i missing something?

thanks

Sheldon