Control Plane Policing (CoPP) for Data Center

Similar Messages

• Ip addressing for data center

  can you suggest me which pool we use for data center public or private,which is best one

  You will encounter conflicts ONLY if you are connecting to a network that is using your same address space. See more below.
  The private IP addresses that you assign for a private network (inter-office LAN, Internet Service Provider customer bases, campus networks, etc) should fall within the following three blocks of the IP address space:
  10.0.0.1 to 10.255.255.255, which provides a single Class A network of addresses, which would use subnet mask 255.0.0.0.
  (theoretically up to 16,777,215 addresses, good for VERY large enterprises like internet service providers or other global deployment)
  172.16.0.1 to 172.31.255.254, which provides 16 contiguous Class B network addresses, which would use subnet mask 255.255.0.0.
  (theoretically up to 1,048,576 addresses, good for large enterprises like colleges and governmental organizations)
  192.168.0.1 to 192.168.255.254, which provides up to 2^16 Class C network addresses, which would use subnet mask 255.255.255.0.
  (theoretically up to 65,536 addresses, widely used by default in consumer/retail networking equipment)
  Explanation of Subnet masks, Network classes, and other technical info is readily available on the internet.

• Planning & Consolidation Questionnaires for Data Collection

  Hi Friends,
  I need some help on the following documents.
  *1.Does any body have Planning & consolidation Questionnaires for Data collection (information gathering)*
  *2.Document on BPC integration with Other systems
  Regards,
  Mcs.Chowdary

  VenK7337,
  Could you show your python code. so we know what your are "writing" to the ethernet port?
  That way we can see what you are receiving.
  Parsing the incoming data (from the TCP-read) depends heavily on the device that sends it, and can not generically be described. LabVIEW has many byte (and even bit) manipulation functions to convert many different data formats to its own build in formats.
  So after the TCP listener is connected, you are constantly reading from the established connection (until it gets broken of course). More advanced example would be the internet toolkit if oyu have it.
  From the read characters (and I hope you designed a protocol with a clear starting character, ending character and maybe even a build in checksum) you parse the data and perform you action, and of course generate a reply. Again the internet toolkit is a good example. It parsed the input as it comes it, based on the HTTP format. Then generates the reply based on the request received.
  These days I would suggest not to use binairy encoded numerics. Try and use XML formatted data. Yes, it causes a lot of overhead. But typically this is not an issue and makes the code a lot more portable and maintainable. Also makes it easier to interface with other languages/platforms.
  Umless of course you are looking at Khz data rates, then XML is not th preferred choice.
  Hope this helps...

• Control-plane policing on ML Card

  Hi All,
  We are experiencing high CPU utilization on one of our ML Card in the ONS 15454. The "IP Input" has relatively higher CPU utilization consumed irrespective of the proper fast/CEF switching enabled on the interfaces. We are trying to figure out,whether there is an attack to the control-plane or even any IP Packets destined local to the ML Card,which is causing those packet to process switched.
  In order to figure that,we thought we may try to use Control plance policing on the control-plane but it seems not taking the service-policy associated with that. Is this feature supported in the ML card or any other suggestion would be really appreciated.
  Thanks
  Regards
  Anantha Subramanian Natarajan

  Try the "clear ip mroute" command on the ML card with high cpu usage and check for the issue. Ml card having a large number of mac address traffic can also cause high cpu usage.In very large bridged networks, which may connect directly to 1000s of layer-3 devices, it may also be wise to increase the MAC table limit above the default of 1000 MAC addresses. This is done with the configuration command:
  bridge X limit dynamic entries 10000

• Wireing Question for Data Center

  I work in what I would consider to be a small/mid sized data center. We use two 6513 as the core/distribution for ~25 racks of servers.
  My question comes in the way of cabling the servers to the core. Currently they are using long patch cords between the 6513 and each server. Well it’s a mess, functional but messy.
  I'm trying to figure out the best way to clean up the mess and make it look professional.
  Most people seem to suggest 2 different ways to accomplish this:
  1) Install switches in each rack and run fiber from the core to the rack. Wire each server to the switch in the rack.
  2) Install 24/48 port patch panels between the core area and the racks.
  I'm wondering what people think of these ideas and if there are any other suggested ways of accomplishing this?
  Andy

  Hi Andy,
  Here's something that we used to do where I worked:
  We had 6509's with three/four 48 port blades servicing between 150 and 200 phones roughly. I had four total switches, one on each of four floors. So this would be roughly similar to your DC environment, only we're servicing longer horizontal runs and phones, not servers -- but the idea is the same (i.e. high density cabling issues).
  Lord knows that when you're plugging in 48 cables into one of those blades, it can get pretty crowded. And since we don't yet know how to alter the laws of physics that determine space requirements, we have to search for alternatives.
  Back to my environment: On three of the four floors, we just wired straight from the patch panel (that ran to floor locations) to the switch. Quite a mess when you're running in 48 cables to one blade! However, this is traditional and this is what we did. My cabling guy (very smart fella) suggested something else. At the time I was too chicken to do it on the other floors, but I did agree to try it on one floor. Here's what we did:
  He ran Cat5 (at the time, that was standard) connections in 48 cable bunches from an adjacent wall into the switch. They had RJ-45 connections so that they could plug in, and they were all nice and neat. On the other end, they plugged in to a series of punch down blocks (kind of like you see in a phone room for telephone structured cabling). These, in turn, were cross connected to floor locations on another punch down block that went to the floor locations. Now, whenever we wanted to make a connection live, we simply had to connect the correct CAT5 jumper wire from one punch down block to the other. You never touch the actual ports in the switch. They just stay where they are. All alterations are done on the punch down blocks. This keeps things nice and neat and there's no fiddling with cables in the switch area. Any time you need to put in a new blade, you just harness up 48 more cables (we called them pigtails) and put them in the new blade.
  NOTE: You could do the exact same thing with patch panels instead of punch down blocks, but with higher densities, it's a bit easier to use the blocks and takes up much less space.
  ADVANTAGES:
  * Very neat cable design at the switch side.
  * Never have to squeeze patch cables in and out.
  * Easy to trace cables (but just better to document them and you'll never have to trace them).
  * Makes moves, adds, and changes (particularly adds) very easy.
  DISADVANTAGES:
  * Not sure that you can do it with CAT6.
  * You have to get a punch down tool and actually punch cables (not too bad though after you do a few).
  * You need to make sure that you don't deprecate the rating on the cable by improperly terminating it (i.e. insufficient twists)
  Anyway, I haven't had a need to do this in a while and I no longer work at the same place, but my biggest concern would be if that meets with the CAT6 spec. Not sure about that, but your cabling person could probably tell you.
  I'm not a big fan of decentralizing the switches to remote locations. It can become cumbersome and difficult to manage if you end up with a lot of them. Also, it doesn't scale well and can end up with port waste (i.e. you have 24 servers in one cabinet on one switch and then along comes 25; you now have to buy another 12 or 24 port switch to service the need with either 11/23 ports going to waste -- not good).
  Good luck. Let us know how you make out. I'd be glad to go in to more detail if the above isn't explained well enough.
  Regards,
  Dave

• Control plane policing

  please does anyone understand the diference in using a class-map of type que-threshold and using a default class-map with que-limit in the policy-map???
  class-map type queue-threshold match-all http-que
       match  protocol http
  policy-map type  queue-threshold http-que
       class http-que
       que-limit 100
  class-map match-all http
  match access-group name http
  policy-map http
  class http
     bandwidth 100000
     queue-limit 100

  The type queue-limit will be matching http packets that are for the router management.
  If you set a queue-limit under a regular class-map you are matching http traffic that is routed through the traffic.
  In other words CPP queue limit protects the control-plane (router management) queue from getting full and DoS the router or locking someone out.
  Regular class-map is for traffic through the routers.
  I hope it helps.
  PK

• Need helip for data center designing

  Sir ,
  I am going to design a data center where the following equipments are the
  1. one router 7609
  2. two core switch (WS-C6509-E)
  3. two firewall (WS-C6506-E, with Firewall blade)
  4. one VOICE ROUTER (CISCO2821with PVDM2-64, VWIC2-2MFT-T1/E1, PVDM2-32)
  5. one Remote Access Server (AS5400XM, AS5000XM 60 Dial Port Feature Card, AS5400 Octal E1/PRI DFC card)
  6. two CALLMANAGER-5.1
  7. multiple no of Cisco IP Phone 7940G with Video Advantage with VT Camera II
  8. one Gatekeeper (2811)
  9. one Internet Router (3845)
  10. one Authentication, Authorization and Accounting (AAA) System
  11. one ISDN RAS 2811 with2-Port Channelized E1/T1/ISDN-PRI Network Module with video conferencing (polycom)
  12. one Network Intrusion Detection/ Prevention System (NIDS)
  13. one NMS
  14. one Content Switch for Server Load Balancing
  15. multiple Video Phone
  16. lots of sever ( mail. Web, storage, etc )
  17. polycom MGC 100
  18. polycom 7000
  also 20 no of 7206 VXR will be connect with 7609 router through lease line
  so.. if u send me some link or some sample design and share some advice where I can gather some idea to design this data center in a proper way
  thanks
  tirtha

  IMO opinion the best place to start is by reading the SRNDs. They can be found here-
  http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html
  Hope that helps.

• Making powermac G4 MDD for data center for small office server

  Hi mac expert,
  i had a small office which need to pool every data audio and metadatas ( wav, mp3, flac, mp4, mov, ms office xls, docs, jpeg, tiff ) into 1 place or hard disk that can be access from any macs and pcs in the same office.
  i have 2 units G4 1Ghz MDD (bus speed 133mhz, both has 2 gb of RAM, a 120 gb of HD internal installed.
  i upgrade one of those with DP 1,42ghz and 2TB of SATA hard disk that attached to PCI SATA Sonnet card.
  installed mac osx 10.5.8 leopard.
  airport extreem card installed.
  my questions:
  - How big a hard drive can I get? I installed a 2TB drive with no partion, but sometimes when i open the disk it gave me spinning cursor and it show no items on that drive, got freeze and can not turn of by shutdown menu, i have to press the power button of the mac itself.
  - if i want to make a data center like what i mention above using powermac G4 that i had, what should i do?
  - should i install leopard server os?
  thank you so much.

  MacDrive may work, also see if these are still avaiable...
  NTFS-3G Stable Read/Write Driver...
  http://www.ntfs-3g.org/
  MacFUSE: Full Read-Write NTFS for Mac OS X, Among Others...
  http://www.osnews.com/story/16930
  MacDrive for the PCs... allows them to Read/Write HFS+...
  http://www.mediafour.com/products/macdrive/

• Cjr2 - protect AND unprotect fields in planning layout1-701 for data input

  Where can I configure the field status of a field in teh planning WBS layout 1-702 (profile SAP ALL) in CJR2.
  I would like to protect and unprotect certain fields for input.

  standard planning layouts are protected. you can not change it. create your own planning profile..
  Or try by Using a transaction variant (SHD0)
  may be you can also try GuiXT settings..
  Please search the forum / internet for more informations.

• Control Plane Policing - is the a default config in a 6509?

  I was doing some configuration reviews today, removing some lines that needed to be removed and came across an ACL I have never seen before.  I sure wish I could copy and paste into this thread!
  ip access-list extended cpp-management
  class-map match-all cpp-any
  match access-group name cpp-any
  class-map match-all cpp-management
  match access-group name cpp-management
  and then some policy maps and access lists, etc.
  Does anyone know if this is a default config?  I've never seen in before and none of my co-workers have owned up to putting it in there.
  Thanks in advance.
  Tim

  It is not a default, that is a custom config. CoPP is not on by default.
  Hope it helps.

• Control Plane Protection (Policing) configuration on Catalyst 3850

  I need to block ICMP requests from being received by the switch. And there is no 'control-plane' configuration mode, which I was going to use for this.
  How can I configure this feature or apply another for my purpose?

  Greetings,
  How about on the 3725 router?
  A couple specific questions I have while configuring the portion for IGPs.
  Here is a couple snips of example configurations I'm finding on the Internet, that I have questions on.
  1. Cisco CoPP Best Practicesaccess-list 120 permit ospf any
  access-list 120 permit ospf any host 224.0.0.5
  access-list 120 permit ospf any host 224.0.0.6
  2. Deploying Cisco Control Plane Policing
  ip access-list extended coppacl-igp remark CoPP IGP traffic class
  ! permit OSPF permit ospf any host 224.0.0.5
  permit ospf any host 224.0.0.6 permit ospf any any
  3. RFC6192
    ip access-list extended OSPF
      permit ospf 192.0.2.0 0.0.0.255 any
  Questions - Which optionis better?
  - Is the network specified in option #3, the network statement under the OSPF process, 
  or the actual network I'm routing?
  -  If option #1 is better, what is the "router receive block" mentioned?
  Thank you for your assistance!!
  Debbie

• Best Azure Data Center choice for serving content in Canada?

  Hello,
  Curious - What is the best Data Center choice for a CDN if your primary audience is in Canada?  (or does it even matter?)
  I've asked Azure support if a data center will be opening up in Canada, and it appears that there are no plans for such.  So, if we are serving [primarily images] via Azure Storage (CDN) -- what is the best choice for a data center; as all traffic will
  be heading North (to Canada)?
  Also -- does anyone know of a SIMPLE price comparison chart that shows the cost of all the major CDNs, i.e.: Azure, S3, Google, etc. with regard to storage costs and bandwidth costs?  (Might be an interesting project to build)
  Thanks in advance.

  Hi,
  As of now, there is no plan to open a Data center in Canada. However, depending on the location you are in Canada, you may choose East US2/EastUS or West US or North Central US DataCenter which ever is near by to you.
  You may check the price of your services hosted in Azure through following link:
  http://azure.microsoft.com/en-us/pricing/calculator/?scenario=full
  Regards,
  Manu

• Rule for Control Plane traffic Transparent Firewall

  Hi Everyone,
  ASA  working in routed mode traffic is allowed by default from high security inside to low security outside.
  But in case of transparent firewall  control plane  traffic  from inside to outside it is not allowed by default.
  Need to know the reason behind this?
  IS this due to transparent firewall layer 2?
  Regards
  MAhesh

  Hello Chintan,
  the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.
  So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.
  If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.
  Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.
  Hope to help
  Giuseppe

• What snmp OID to use to monitor control-plane of router

  Hi there!
  I've applied policy-maps on control-plane, based on cisco recomandation.
  Now i need to know, what snmp OID i've to use to monitor them (i'm using zabbix)
  Let me know.
  Regards!

  If you are using IOS which uses a policy-map to configure Control Plane Policing then you are asking in the wrong place as this forum is for IOS-XR not IOS but you can poll objects in the CISCO-CLASS-BASED-QOS-MIB::cbQosPoliceStatsTable (for example cbQosCMDropByte64, cbQosPoliceExceededByte64, cbQosPoliceConformedByte64).
  If you mean you have changed the LPTS policers to help protect the control-plane in IOS-XR then I believe there is currently no support for polling the counters via SNMP. See the section on monitoring in Xander's document https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp

• Why use transparent firewall in data center?

  I've seen Cisco documentation recommendation transparent mode for firewall deployment in the data center, e.g. 5585X. I understand the key reasons for this are:
  - easy "insertion" of firewall in pre-existing network
  - speed (since there is no "hair-pinning")
  Assume that the above two are not a major concern (i.e. you can redesign your network to have the firewall hold default gateways and your firewall is much more powerful than your needs). Then from a financial perspective, it doesn't seem to make sense to do transparent firewall deployment of the 5585X for the following reasons:
  - you are limited to a maximum of 8 bridge-groups
  If you really want to follow best practices and implement fine segmentation of your network, you'll need to create 10s or 100s of VLANs and perform access-control on them. This limit of 8 BVIs means that you basically can have only 8 "segments" per context. After that, you have to resort to adding contexts as your grow (contexts introduce their own cost AND complexity).
  Am I missing something? Why would Cisco recommend transparent firewall for data center if cost is remotely a concern? I can't seem to find any good documentation justifying this. Thanks in advance for your experiences/insight.

  Hello Fouzan,
  I think you already covered it
  good job with the analisys, basically as you said is the hability to place the Transparent mode into the network enviroment , no routing stuff complications, etc , BUT as you said there are limitations,
  I would still use the routed mode due to the requirements you set but there will be scenarios when this will not be the case and a bridge-group or 2 will take care of everything so I transparent mode firewall would do it,
  Regards