[c-nsp] Help, one 160kbit/s DSL killing my 7206

Code Monkey have.an.email at gmail.com
Mon Mar 21 07:33:39 EST 2005


Hi,

I collect DSL on a 7206. They come in as an L2TP tunnel over
Ethernet, and get a virtual interface each.

Each virtual interface gets ip verify unicast reverse-path set 
by the radius options. I set up debug so that I get spoofed 
packets by syslog.

One of my DSL clients apparently contracted a DDoS Zombie. At
10:45 CEST he started sending out source-spoofed packets
(spoofing 129.103.0.4x) all he was worth.

At the same time, the router started acting up, shutting down
all or most of the DSL clients. They all come up again, and 
all down again some 15 seconds later. Acct-Terminate-Cause =
Port-Error for all of them. Ping times through the router (but
unrelated to the DSL lines) were up to 2 seconds instead of less
than 10 ms. CPU usage went through the roof.

I blacklisted the DSL that was spoofing on the radius,
and cleared his virtual-interface; the problems went away
immediately.

I turned off the debug logging because I thought the logging
must be what put the router on its knees, but when I let the
client log on again (he has to update his antivirus...) all the
DSL lines fall down again (didn't check ping, CPU seems normal
on the history, but the problem was fixed sooner though).  I'm
not going to remove the reverse-path verification!

What can I do? Haven't found a bug id specifically for this, but
maybe there is a known problem, or else there is something I can
configure?

Tech info:

C7200-JS-M, Version 12.2(15)T11,  RELEASE SOFTWARE (fc2)
System image file is "slot0:c7200-js-mz.122-15.T11.bin"
cisco 7206VXR (NPE300) processor (revision D) with 229376K/65536K
bytes of memory.
R7000 CPU at 262Mhz, Implementation 39, Rev 2.1, 256KB L2, 2048KB L3 Cache
6 slot VXR midplane, Version 2.1


More information about the cisco-nsp mailing list