[nsp] Suggestions on tracking down bandwidth offenders

Virgil virgil at webcentral.com.au
Wed Jul 14 19:36:05 EDT 2004


> The implementation of NBAR in 12.2s is badly broken with respect
> to fragmented packets.  Its easy to bring an NPE-G1 to it's knees
> without really trying very hard.  NBAR was reimplemented for
> 12.3T and our tests show that it doesn't have the same problems.


The same piece of code is present in 12.1E/12.2SX which means
that SUP1/SUP2/SUP720 are all effected as well.  A little laptop
with a PCMCIA ethernet card can nuke a SUP720 with replayed
UDP frags.

> > Interface X
> >  ip nbar protocol-discovery
> > Be careful about cpu usage.

The difference between nbar protocol-discovery off and on, on a 7301 
running 12.2(18)S is 9 -> 11% CPU and 20 -> 100% CPU.  Traffic was 
300Mbits, +25Mbits UDP frags.

Wasn't until the UDP frags came along that it was really unhappy.


Regards,

Virgil

-- 
WebCentral Pty Ltd           Australia's #1 Internet Web Hosting Company
Level 5, 100 Wickham St.           Infrastructure Design and Engineering
PO Box 930, Fortitude Valley.            email: virgil at webcentral.com.au
Queensland, Australia 4006.                       phone: +61 7 3230 7332




More information about the cisco-nsp mailing list