[c-nsp] 6500 - What determines whether certain traffic is punted or not?

Drew Weaver drew.weaver at thenap.com
Tue Nov 24 13:03:31 EST 2009 

Hi,

Yeah I followed the exact same instructions you posted when creating the RP span session.

Source Port-VLAN Info
---------------------
 Ingress Source Ports:  4/23 15/1
 Egress Source Ports :  4/23
 Ingress Source Vlans:  <null>
 Egress Source Vlans :  <null>
 Ingress Filter Vlans :  <null>
 Egress Filter Vlans  :  <null>
 Exclude Filter Vlans : <empty>
 Exclude Alt Filter Vlans : <empty>
 Ingress Filter Vlan Count: 0
 Egress Filter Vlan Count : 0
 Exclude Filter Vlan Count: 0
 Exclude Alt Vlan Count   : 0

Destination ports:  4/24

Thanks,
-Drew

From: Lee [mailto:ler762 at gmail.com]
Sent: Tuesday, November 24, 2009 1:00 PM
To: Drew Weaver
Cc: Cisco-nsp
Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not?

Hi Drew,
On Tue, Nov 24, 2009 at 11:33 AM, Drew Weaver wrote:
Howdy,

I've been having some issues with queue drops/CLI sluggishness on a 6500 and I wanted to check what kind of volume of traffic I was getting punted to the RP.

I made a span session and began checking out the traffic with tethereal.

How did you make the span session?  I think a regular span session gets you everything - not just punted packets.

I haven't actually tried this, but here's the notes I have for setting up a span session to see punted packets:
------------------

Here are the instructions to setup inband span (which monitors traffic sent to the MSFC):

Router#monitor session 1 source interface fa 3/3 !--- Use any interface that is administratively shut down.
Router#monitor session 1 destination interface fa 3/2

Now, go to the SP console. Here is an example:

Router#remote login switch
Router-sp#test monitor add 1 rp-inband rx <--- check the syntax as it varies from one IOS to the next so use ?

Verify monitor session:

Router-sp#test monitor show session 1
Ingress Source Ports: 3/3 15/1
Egress Source Ports: 3/3
Ingress Source Vlans: <empty>
Egress Source Vlans: <empty>
Filter Vlans: <empty>
Destination Ports: 3/2

Go back to the RP and verify the monitor session as well:

Router#show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa3/3
Destination Ports : Fa3/2
SP console:
Router-sp#test monitor session 1 show
Ingress Source Ports: 3/3 15/1
Egress Source Ports: 3/3
Ingress Source Vlans: <empty>
Egress Source Vlans: <empty>
Filter Vlans: <empty>
Destination Ports: 3/2

To remove the inband span from sp do
 test monitor session 1 del
and from the rp do
 no mon sess all
-------------------------------

Regards,
Lee


It seems like a huge (30,000) or so packets every few seconds of just UDP traffic is being punted.

The system is a Sup720-3BXL.

Does anyone know how to determine what kind of traffic should be punted to the RP and more importantly why this UDP traffic is hitting the RP?

It almost looks like p2p traffic, but I also see other types of traffic, tcp 445, DNS, port 80, etc.

thanks,
-Drew

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list