[c-nsp] 6500 under DDoS
Jared Mauch
jared at puck.nether.net
Tue Jul 27 15:47:26 EDT 2004
On Tue, Jul 27, 2004 at 09:41:09PM +0200, Blaz Zupan wrote:
> > They want to have their uplink to you on the sup720 module, since
> > it's distributed. That will help..
> >
> > it should be in either slot5 or slot6.
>
> Thanks, I'll make them check it.
>
> A Cisco employee also suggested that they might be overflowing the TCAMs in
> the linecards which could be caused by poorly constructed ACLs so that the
> traffic is software switched.
If the TCAM is getting full, it's "supposed" to syslog
this.. but I've found this to be somewhat inconsistent depending on
the sw release and sup involved.
> I also found out that the customer has turned on "ip nbar protocol-discovery".
yeah, have them turn that off. ick.
> Hmmm, seems like I'll refer them to the TAC.
well, moving the port facing you to the distributed s720 GEs
is the best thing to do.
This will show you which linecards/modules are doing dcef:
make sure they're "up"
s720-rp#sh cef line
Slot MsgSent XDRSent Window LowQ MedQ HighQ Flags
5 3703267 33151140 967 0 0 0 up
VRF Default-table, version 16462517, 150449 routes
Slot Version CEF-XDR I/Fs State Flags
5 16462517 32831603 4 Active sync, table-up
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list