[c-nsp] Cisco Processing Regarding ICMP

Phil Bedard philxor at gmail.com
Sun May 11 09:23:28 EDT 2008


There is a limiter in place on how many destination unreachable ICMP  
messages the MSFC will generate, I believe the default is 1 per  
500ms.   You can set a specific limiter on the DU, Code 4 ICMP  
messages (Fragmentation needed, DF bit set) the router generates.  
There are also limits on how many packets are sent to the MSFC that  
require DU messages be generated, but I don't remember that number off  
hand.

The packets that need to have an ICMP unreachable sent are punted to  
the MSFC so it can generate those messages.  On some of the  
distributed systems, the line cards can generate those messages, but I  
don't know about the 7600/DFC and if that's the case.

In my tests, it does a good job by default of protecting the router  
from that type of situation.  If it needs to legitimately generate  
thousands of ICMP messages per second, then the design needs to be  
changed. :)

Phil


On May 10, 2008, at 4:39 PM, <alaerte.vidali at nsn.com> <alaerte.vidali at nsn.com 
 > wrote:

> Thanks Paul,
>
> I would like to find information about processing on 7609 under this
> situation, from traffic coming from Internet, normally users  
> downloading
> files or watching videos.
> Because internal network design requirements, it is necessary decrease
> internal MTU to slight lower than 1500 bytes, so I would like to know
> how 7609 will handle high number (in the worst case, or attacks) of
> packets with high MTU and DF bit set.
>
> Br,
> Alaerte
>
> -----Original Message-----
> From: ext Paul Cosgrove [mailto:paul.cosgrove at heanet.ie]
> Sent: Saturday, May 10, 2008 9:53 PM
> To: Vidali Alaerte (NSN - BR/Rio de Janeiro)
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco Processing Regarding ICMP
>
> Hi Alaerte,
>
> This will be dependent on the hardware, traffic types, throughput and
> software version/configuration.   You may need to explain a little  
> more
> in order to get an adequate answer to your question.
>
> Large numbers of packets from a handful of hosts running PMTUD may
> require a smaller number of ICMP notifications than would be necessary
> for a larger number of hosts sending less traffic.  The difference in
> the MTUs, and the sizes of the incoming packets will also affect the
> proportion of traffic which triggers notifications.  Similarly  
> protocols
> running on the router itself may require their packets to be  
> fragmented.
>
> Paul.
>
> alaerte.vidali at nsn.com wrote:
>> Hi,
>>
>> Any document about how is the processing of a packet received on
>> interface A toward interface B, where interface B has lower MTU than
>> received packet and DF bit is set?
>>
>> (like description of the process)
>>
>> (considering CPU impact and if default limitation of ICMP generation
>> enough when the number of packets is very high)
>>
>> Thanks,
>> Alaerte
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list