On Thu, 01 Jun 2006 12:07:00 +0200 hjan <[EMAIL PROTECTED]> wrote: > I have read cisco's doc about cpp and i've also read the good > documentation written by John Kristoff about cpp > in wich are included some implementation example.
The cisco-nsp mailing list is probably a better place for anything specific to Cisco's CoPP, but I'll quickly respond here, because the issue is general enough and others might be interested. You might be interested in reviewing a brief talk I did at the last Joint Techs. I went over some of the experiences and lessons learned: <http://events.internet2.edu/2006/jt-albuquerque/sessionDetails.cfm?session=2444&event=243> Note, the title is Tripping on QoS, but there is CoPP stuff in there. Unfortunately I don't think the session was audio or video recorded. A key point I'd like to make since I originally wrote that page is that it is quite difficult, and probably not the best approach, to use a control plane policy where you end up shovelling any unmatched stuff into a general rate limiter. Phil Rosenthal probably has the right idea to specifically pass things you know you want, maybe rate limiting them, but then have a default deny. > access-list 168 permit icmp any loopback0 0.0.0.0 That doesn't look right. You do not need to specify a loopback address. By definition, the control plane policy will apply to any router interface, so perhaps you meant to say something like this: access-list 168 permit icmp any any Although I'm not sure I'd recommend doing what you're doing except for testing purposes. You have to think very carefully about what could happen when you start rate limiting protocols generally. For example, if something ICMP floods your router, will your network availability monitoring system's traffic get starved out? John
