[nsp] AS5300 loosing memory
jlewis at lewis.org
jlewis at lewis.org
Fri Aug 22 20:26:22 EDT 2003
On Fri, 22 Aug 2003, Jason Houx wrote:
> Well its either break path MTU or reboot and kick ppl off-line while the
> unit reloads - personally i would rather put AS5350's and AS5400s in the
> mix because those have been just fine. These AS5248's are getting their
> memory fragged by all the scanning from just hosts inside of our network.
> If you have a suggestion I would love to hear it. route-map match length
> 92 92 is supported on these at least not with the IOS we have. We tried
> running just filtering the nasty M$ crap and still had to reload the
> units. Blocking ICMP has stopped these units from needing reloaded. AND
You don't have to block all icmp (breaking PMTUD)...just echo and
echo-reply.
int e0
no ip unreach
no access-list 199
access-list 199 permit tcp any any established
access-list 199 deny icmp any any echo
access-list 199 deny icmp any any echo-reply
access-list 199 permit ip any any
interface Group-Async1
no ip unreach
ip access-group 199 in
interface Virtual-Template1
ip access-group 199 in
no ip unreach
Our 5200's with this seem to be holding out. The 5396's and 53192's
running 12.1 and 12.2 can do the more elegant route-map/policy routing
trick that only blocks 92 octet echo/echo-reply. The infection is so bad,
show access-l 199 on some 5200's shows more blocked echo than passed
traffic.
----------------------------------------------------------------------
Jon Lewis *jlewis at lewis.org*| I route
System Administrator | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list