CoPP

Unanswered Question
Dec 11th, 2008
User Badges:

Hi,


Can anyone offer me advice on configuring CoPP on internet-facing edge routers?


I'm running 12.4(21a) on 7200VXR's.


I have an initial configuration with the usual well documented classifications (http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html) and can access the proper values (I think)from CISCO-CLASS-BASED-QOS-MIB, which I could graph in MRTG without too much difficulty. Heres the output from 'sh policy-map control-plane':


sh policy-map control-plane | include offered

5 minute offered rate 0 bps, drop rate 0 bps

5 minute offered rate 1000 bps

5 minute offered rate 2000 bps

5 minute offered rate 0 bps

5 minute offered rate 0 bps

5 minute offered rate 1000 bps

5 minute offered rate 0 bps, drop rate 0 bps


These values are 'bursty' and seem to come in multiples of 1000. Is there any merit in graphing these values over time and setting CoPP MQC values from that? It feels a bit crude.


Thanks,

Mark


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Fri, 12/12/2008 - 07:32
User Badges:
  • Purple, 4500 points or more

Mark-


I've been wondering the same thing. One thing that I have not verified is that under normal circumstances will it even show a rate? If it's anything like data plane QoS, is should only be in effect when saturated. If that's correct how do we properly configure the CoPP so we can access our devices during a SNAFU? I settled on "wait and see" or if I ever get some lab time, I could test it. I am curious, if you are monitoring, what are you seeing as far as load?

UTVi-NetAdmin Fri, 12/12/2008 - 08:07
User Badges:

Hi Collin,


Usually a max of 2000bps on the CoPP-catch-all, CoPP-normal, or class-default, and that's it.


I have been trying to find out what is hitting the ACL's, but when you can't use the 'log' keyword, things get tricky:


Class-map: CoPP-normal (match-any)

381708 packets, 28473256 bytes

5 minute offered rate 2000 bps

Match: access-group 123

381708 packets, 28473256 bytes

5 minute rate 2000 bps


sh access-lists 123

Extended IP access list 123

10 permit icmp any any ttl-exceeded (3968 matches)

20 permit icmp any any port-unreachable (271 matches)

30 permit icmp any any echo-reply (78 matches)

40 permit icmp any any echo (391277 matches)

50 permit icmp any any packet-too-big (1 match)


Any thoughts?


Thanks,

Mark


Actions

This Discussion