> Subject: Re: [nsp] CAR bug
> To: hank@att.net.il (Hank Nussbacher)
> Date: Sat, 29 Jan 2000 10:40:13 -0600 (CST)
> Cc: cisco-nsp@puck.nether.net, lindahl@ack.berkeley.edu (ken lindahl)
>
> >Perhaps it's the extra processing incurred by looking deeper into the
> >packet (for the icmp type), or it's simply an IOS bug. Has anyone seen
> >anything like this?
>
> Yes, we were bitten by this, or something very like it.
>
> Attempts to rate limit ICMP at our site using CAR in a 7513 with
> vip2/50s and 11.1(n)CC code came to an end the day that router
> apparently started blocking all ICMP to certain subnets on the campus.
Have you tried this recently 11.1(n)-CC-wise? We've used CAR pretty
extensively in the regional ISP setting (nap-peering, multi-pop backbone,
lots of t1's and colocation and never had a reason to back it out.
Typically we'll rate-limt customers with contracted bandwidith less than
their circuit, but we also limit "all icmp" at various points within
the network to tune down smurf attacks.
Of course like CEF/dCEF it's the intersection between the users's
environment and an extensive set of bugs that determine whether or
not the feature is usable...
George
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:09 EDT