[c-nsp] 6500 under DDoS

Jared Mauch jared at puck.nether.net
Tue Jul 27 15:47:26 EDT 2004


On Tue, Jul 27, 2004 at 09:41:09PM +0200, Blaz Zupan wrote:
> > 	They want to have their uplink to you on the sup720 module, since
> > it's distributed.  That will help..
> >
> > 	it should be in either slot5 or slot6.
> 
> Thanks, I'll make them check it.
> 
> A Cisco employee also suggested that they might be overflowing the TCAMs in
> the linecards which could be caused by poorly constructed ACLs so that the
> traffic is software switched.

	If the TCAM is getting full, it's "supposed" to syslog
this.. but I've found this to be somewhat inconsistent depending on
the sw release and sup involved.

> I also found out that the customer has turned on "ip nbar protocol-discovery".

	yeah, have them turn that off.  ick.

> Hmmm, seems like I'll refer them to the TAC.

	well, moving the port facing you to the distributed s720 GEs
is the best thing to do.

	This will show you which linecards/modules are doing dcef:

	make sure they're "up"

s720-rp#sh cef line
Slot    MsgSent    XDRSent  Window   LowQ   MedQ  HighQ Flags
5       3703267   33151140     967      0      0      0 up

VRF Default-table, version 16462517, 150449 routes
Slot Version    CEF-XDR    I/Fs State    Flags
5    16462517   32831603       4 Active   sync, table-up

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.


More information about the cisco-nsp mailing list