[c-nsp] DoS tracking on the 6500
Nitzan Tzelniker
nitzan.tzelniker at gmail.com
Fri Mar 18 04:04:33 EST 2005
Try to run the command
"sh mls ip count"
if the output is more than 32000 you need sampling
to configure sampling use
"mls sampling packet-based 64 4096"
and dont forget "mls netflow sampling" on the interface
you can read more here
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080179591.html
Nitzan
On Thu, 17 Mar 2005 18:19:38 -0500 (EST), Jon Lewis <jlewis at lewis.org> wrote:
> On Thu, 17 Mar 2005, Dale W. Carder wrote:
>
> > What are your netflow/mls settings, specifically are you recording src
> > and dest information, because perhaps dest-only didn't capture the
> > data you needed? Are you sampling? What is your table size set at?
>
> Running just IOS, 122-18.SXD3
> #sh conf | inc mls
> mls aging fast time 8 threshold 3
> mls aging long 480
> mls aging normal 32
> mls flow ip interface-full
> mls flow ipx destination
> mls nde sender version 5
> mls rate-limit unicast cef receive 10000
> mls qos
>
> > Off the top of my head (we don't run hybrid anymore) I want to say
> > that the command to try is "sh mls ent long". In native mode
> > it's something along the lines of "sh mls netflow ip nowrap".
>
> Ah...I didn't notice the nowrap option last night and was cursing IOS for
> ignoring my term width. That makes the output easier on the eyes...but it
> still looks like just a tiny sampling of the real data.
>
> ----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list