[nsp] AS5300 loosing memory

Jason Houx coldiso at houx.org
Fri Aug 22 20:12:07 EDT 2003


Well its either break path MTU or reboot and kick ppl off-line while the
unit reloads - personally i would rather put AS5350's and AS5400s in the
mix because those have been just fine.  These AS5248's are getting their
memory fragged by all the scanning from just hosts inside of our network.  
If you have a suggestion I would love to hear it.  route-map match length
92 92 is supported on these at least not with the IOS we have.  We tried
running just filtering the nasty M$ crap and still had to reload the
units.  Blocking ICMP has stopped these units from needing reloaded.  AND
I have dialed in and browsed around - in *nix without any problem.  If
these ppl are scanning and their connection times out I'm sure they will
be happier than being booted off the internet while we reload the device
every 4 hours.  I suppose your firewall turns its head when ICMP bangs on 
its front door?

Jason Houx


On Sat, 23 Aug 2003, Niels Bakker wrote:

> * coldiso at houx.org (Jason Houx) [Fri 22 Aug 2003, 23:20 CEST]:
> > We created an acl like this {see below} and applied it to every one of our
> > AS5248's - our AS5350, AS5400, and AS5396 did not seem to have near the
> [..]
> > access-list 199 deny   icmp any any
> > access-list 199 permit ip any any  
> 
> That's stupid.  ICMP is an important part of the Internet Protocol, and
> by blocking it you break a lot of things - Path MTU Discovery, to name
> one - and make connection attempts to closed ports take ages to time out
> rather than almost instantaneously, to name but two problems instigated
> by your overzealous access-list.
> 
> 
> 	-- Niels.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 




More information about the cisco-nsp mailing list