[c-nsp] DoS tracking on the 6500
Jon Lewis
jlewis at lewis.org
Tue Mar 22 14:13:39 EST 2005
On Tue, 22 Mar 2005, Simon Leinen wrote:
> > On Mar 18, 2005, at 3:04 AM, Nitzan Tzelniker wrote:
> >> Try to run the command
> >> "sh mls ip count"
> >> if the output is more than 32000 you need sampling
>
> > My operational experience is that this is not necessarily true,
> > depending on your application. IIRC, on the Sup2+MSFC2, there is an
> > increased *probability* of netflow information being lost, up to the
> > hard cap of 128,000 entries.
>
> That's correct. The hard limit of 128'000 entries is the same on the
> PFC3 (Sup720), but the PFC3 is supposed to have a better hashing
> algorithm, so you can use more of the space before table contention
> starts to become a problem.
Using sup2 and 122-18.SXD3, are there known issues with some of the mls
commands being "sticky"? What's confusing me now is I had things working
with mls flow ip interface-full, and some mls aging statements such that I
had sh mls netflow ip count values in the thousands. Then I noticed my
cricket graphs pretty much quit working. I undid the mls statements to
see if that would help...but I think it may just be an issue with 32-bit
counter wrap...so I put the mls config back...and of the 2 6500s, now one
typically has counts in the 100-200 range, while the other is in the
500-800 range.
Hardware and software images between the two are the same, and I have the
interfaces I'm interested in set to ip route-cache flow...though I didn't
initailly.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list