CoPP question

From: Ivan Hrvatska <ivanzghr_at_gmail.com>
Date: Thu, 25 Mar 2010 11:10:45 +0100

                10.1.12.0/24
R1 (PE) ----------eigrp------------ R2 (PE)
| |
| |
ospf ospf
| |
| |
CE CE

OK. Scenario is like this. MPLS core has EIGRP running. PE routers are
running MPBGP, and running OSPF with CE routers.
Task is that R2 has control-plane policing of all INPUT packets.

R1:
Lo0 - 1.1.1.1
Lo1 - 11.11.11.11 (used for sham-link)
Fa0/0 (to R2) - 10.1.12.1/24

R2:
Lo - 2.2.2.2
Lo1 - 11.11.11.22 (used for sham link)
Fa0/0 (to R1) - 10.1.12.2/24

ACLs to define interesting traffic coming INTO R2's control-plane:

!
ip access-list extended BGP
 permit tcp host 10.1.12.1 host 10.1.12.2 eq bgp
 permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp
 permit tcp host 10.1.12.1 eq bgp host 10.1.12.2
 permit tcp host 1.1.1.1 eq bgp host 2.2.2.2
ip access-list extended EIGRP
 permit eigrp host 10.1.12.1 any
 permit eigrp any host 224.0.0.10
ip access-list extended LDP
 permit udp host 1.1.1.1 any eq 646
 permit udp host 10.1.12.1 any eq 646
 permit tcp host 1.1.1.1 any eq 646
 permit tcp host 10.1.12.1 any eq 646
ip access-list extended OSPF
 permit ospf any host 10.1.12.2
 permit ospf any host 224.0.0.5
 permit ospf any host 224.0.0.6
!

This is what it is matched:

Extended IP access list BGP
    10 permit tcp host 10.1.12.1 host 10.1.12.2 eq bgp
    20 permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp (63 matches)
    30 permit tcp host 10.1.12.1 eq bgp host 10.1.12.2
    40 permit tcp host 1.1.1.1 eq bgp host 2.2.2.2
Extended IP access list EIGRP
    10 permit eigrp host 10.1.12.1 any (17727 matches)
    20 permit eigrp any host 224.0.0.10 (437 matches)
Extended IP access list LDP
    5 permit udp host 1.1.1.1 any eq 646
    10 permit udp host 10.1.12.1 any eq 646 (18757 matches)
    15 permit tcp host 1.1.1.1 any eq 646 (117 matches)
    20 permit tcp host 10.1.12.1 any eq 646
Extended IP access list OSPF
    30 permit ospf any host 10.1.12.2
    35 permit ospf any host 224.0.0.5 (337 matches)
    40 permit ospf any host 224.0.0.6

So, my question: is above statements enough? Is something too much,
since not all statements are matched?
On Cisco site I read that routing protocols should have exceed action
transmit? Is that the case? That means no policing should be done on
such traffic?
Let's say that CE routers are also customer's iBGP routers and iBGP
sessions are established using reachability provided by customer's
OSPF, and connectivity for OSPF between two customer's site is
provided by MPLS VPN. Does the iBGP traffic between CE routers also
gets to R2 control-.plane for processing or is it just traverse
traffic. If R2 has to look into it's routing table for that traffic is
it also coming to CP of R2 or not?

Thanks

Regards

Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 25 2010 - 11:10:45 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:36 ART