[c-nsp] 6500 - What determines whether certain traffic is punted or not?

Drew Weaver drew.weaver at thenap.com
Tue Nov 24 13:07:54 EST 2009 

Sure,  

example #1 
    example #1 
  2.012467 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.012516 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.012566 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.012616 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.012666 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.012766 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.012816 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.012866 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.012916 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.013016 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.013066 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.013116 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.013166 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.013168 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  2.013216 local.ip -> internet.ip UDP Source port: isdd  Destination port: 51472
  
example #2
1.694327 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694426 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694476 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694526 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694576 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694626 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694726 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694776 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694826 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  1.694876 local.ip -> internet.ip SIP Status: 200 OK    (1 bindings)
  
example #3

1.034938 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.034942 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035037 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035041 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035137 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035187 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035236 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035336 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035341 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035436 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035486 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035536 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035586 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
  1.035636 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic

example #4

1.292173 local.ip -> internet.ip DNS Standard query response, No such name
  1.292223 local.ip -> internet.ip DNS Standard query response, No such name
  1.292273 local.ip -> internet.ip DNS Standard query response, No such name
  1.292323 local.ip -> internet.ip DNS Standard query response, No such name
  1.292373 local.ip -> internet.ip DNS Standard query response, No such name
  1.292423 local.ip -> internet.ip DNS Standard query response, No such name
  1.292473 local.ip -> internet.ip DNS Standard query response, No such name
  1.292522 local.ip -> internet.ip DNS Standard query response, No such name
  1.292573 local.ip -> internet.ip DNS Standard query response, No such name
  1.292622 local.ip -> internet.ip DNS Standard query response, No such name
  1.292672 local.ip -> internet.ip DNS Standard query response, No such name

example #5

1.343640 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.354772 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.354872 10.1.0.162 -> 192.168.115.34 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.381130 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.384974 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.393011 10.1.0.162 -> internet.ip ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.414982 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.442681 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.445027 10.1.0.162 -> 192.168.45.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.463498 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.474230 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.501936 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.504232 10.1.0.162 -> 192.168.115.34 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.504582 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
  1.519408 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)

each of these examples are just tiny samples, the traffic seems to go on for a long time.

Note I sanitized the IPs in example #5

-Drew
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian Wiesinger
Sent: Tuesday, November 24, 2009 11:38 AM
To: Cisco-nsp
Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not?

* Drew Weaver <drew.weaver at thenap.com> [2009-11-24 17:34]:
> I've been having some issues with queue drops/CLI sluggishness on a
> 6500 and I wanted to check what kind of volume of traffic I was
> getting punted to the RP.
> 
> I made a span session and began checking out the traffic with
> tethereal.
> 
> It seems like a huge (30,000) or so packets every few seconds of
> just UDP traffic is being punted.

Hi Drew,

can you post a sample from that traffic? Is it mostly the same?

> The system is a Sup720-3BXL.
> 
> Does anyone know how to determine what kind of traffic should be
> punted to the RP and more importantly why this UDP traffic is
> hitting the RP?

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml#situations

Kind Regards,

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list