RE: [nsp] CAR bug

From: Hallgren, Michael (michael.hallgren@teleglobe.com)
Date: Mon Jan 31 2000 - 04:14:00 EST


Hi,

I've experienced lack of preciseness with rate limiting, in the way
that actual limiting is lower than configured limiting. Comments ?

Michael

>> Subject: Re: [nsp] CAR bug
>> To: hank@att.net.il (Hank Nussbacher)
>> Date: Sat, 29 Jan 2000 10:40:13 -0600 (CST)
>> Cc: cisco-nsp@puck.nether.net, lindahl@ack.berkeley.edu (ken lindahl)
>>
>> >Perhaps it's the extra processing incurred by looking deeper into the
>> >packet (for the icmp type), or it's simply an IOS bug. Has anyone seen
>> >anything like this?
>>
>> Yes, we were bitten by this, or something very like it.
>>
>> Attempts to rate limit ICMP at our site using CAR in a 7513 with
>> vip2/50s and 11.1(n)CC code came to an end the day that router
>> apparently started blocking all ICMP to certain subnets on the campus.
>
>Have you tried this recently 11.1(n)-CC-wise? We've used CAR pretty
>extensively in the regional ISP setting (nap-peering, multi-pop backbone,
>lots of t1's and colocation and never had a reason to back it out.
>
>Typically we'll rate-limt customers with contracted bandwidith less than
>their circuit, but we also limit "all icmp" at various points within
>the network to tune down smurf attacks.
>
>Of course like CEF/dCEF it's the intersection between the users's
>environment and an extensive set of bugs that determine whether or
>not the feature is usable...
>
> George
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:09 EDT