Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
2
Replies

CoPP

UTVi-NetAdmin
Level 1
Level 1

‎12-11-2008 04:06 AM - edited ‎03-09-2019 09:52 PM

Hi,

Can anyone offer me advice on configuring CoPP on internet-facing edge routers?

I'm running 12.4(21a) on 7200VXR's.

I have an initial configuration with the usual well documented classifications (http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html) and can access the proper values (I think)from CISCO-CLASS-BASED-QOS-MIB, which I could graph in MRTG without too much difficulty. Heres the output from 'sh policy-map control-plane':

sh policy-map control-plane | include offered

5 minute offered rate 0 bps, drop rate 0 bps

5 minute offered rate 1000 bps

5 minute offered rate 2000 bps

5 minute offered rate 0 bps

5 minute offered rate 0 bps

5 minute offered rate 1000 bps

5 minute offered rate 0 bps, drop rate 0 bps

These values are 'bursty' and seem to come in multiples of 1000. Is there any merit in graphing these values over time and setting CoPP MQC values from that? It feels a bit crude.

Thanks,

Mark

Labels:
0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎12-12-2008 07:32 AM

Mark-

I've been wondering the same thing. One thing that I have not verified is that under normal circumstances will it even show a rate? If it's anything like data plane QoS, is should only be in effect when saturated. If that's correct how do we properly configure the CoPP so we can access our devices during a SNAFU? I settled on "wait and see" or if I ever get some lab time, I could test it. I am curious, if you are monitoring, what are you seeing as far as load?

0 Helpful

UTVi-NetAdmin
Level 1
Level 1
In response to Collin Clark

‎12-12-2008 08:07 AM

Hi Collin,

Usually a max of 2000bps on the CoPP-catch-all, CoPP-normal, or class-default, and that's it.

I have been trying to find out what is hitting the ACL's, but when you can't use the 'log' keyword, things get tricky:

Class-map: CoPP-normal (match-any)

381708 packets, 28473256 bytes

5 minute offered rate 2000 bps

Match: access-group 123

381708 packets, 28473256 bytes

5 minute rate 2000 bps

sh access-lists 123

Extended IP access list 123

10 permit icmp any any ttl-exceeded (3968 matches)

20 permit icmp any any port-unreachable (271 matches)

30 permit icmp any any echo-reply (78 matches)

40 permit icmp any any echo (391277 matches)

50 permit icmp any any packet-too-big (1 match)

Any thoughts?

Thanks,

Mark

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents