12-11-2008 04:06 AM - edited 03-09-2019 09:52 PM
Hi,
Can anyone offer me advice on configuring CoPP on internet-facing edge routers?
I'm running 12.4(21a) on 7200VXR's.
I have an initial configuration with the usual well documented classifications (http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html) and can access the proper values (I think)from CISCO-CLASS-BASED-QOS-MIB, which I could graph in MRTG without too much difficulty. Heres the output from 'sh policy-map control-plane':
sh policy-map control-plane | include offered
5 minute offered rate 0 bps, drop rate 0 bps
5 minute offered rate 1000 bps
5 minute offered rate 2000 bps
5 minute offered rate 0 bps
5 minute offered rate 0 bps
5 minute offered rate 1000 bps
5 minute offered rate 0 bps, drop rate 0 bps
These values are 'bursty' and seem to come in multiples of 1000. Is there any merit in graphing these values over time and setting CoPP MQC values from that? It feels a bit crude.
Thanks,
Mark
12-12-2008 07:32 AM
Mark-
I've been wondering the same thing. One thing that I have not verified is that under normal circumstances will it even show a rate? If it's anything like data plane QoS, is should only be in effect when saturated. If that's correct how do we properly configure the CoPP so we can access our devices during a SNAFU? I settled on "wait and see" or if I ever get some lab time, I could test it. I am curious, if you are monitoring, what are you seeing as far as load?
12-12-2008 08:07 AM
Hi Collin,
Usually a max of 2000bps on the CoPP-catch-all, CoPP-normal, or class-default, and that's it.
I have been trying to find out what is hitting the ACL's, but when you can't use the 'log' keyword, things get tricky:
Class-map: CoPP-normal (match-any)
381708 packets, 28473256 bytes
5 minute offered rate 2000 bps
Match: access-group 123
381708 packets, 28473256 bytes
5 minute rate 2000 bps
sh access-lists 123
Extended IP access list 123
10 permit icmp any any ttl-exceeded (3968 matches)
20 permit icmp any any port-unreachable (271 matches)
30 permit icmp any any echo-reply (78 matches)
40 permit icmp any any echo (391277 matches)
50 permit icmp any any packet-too-big (1 match)
Any thoughts?
Thanks,
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide