[c-nsp] SUP720 - 12.2(18)SXF17

Marcus.Gerdon Marcus.Gerdon at versatel.de
Thu Oct 8 05:32:58 EDT 2009


But traceroute's one of the killer apps for Sup720's regardless if used in 6500 or 7600. 

Dependent on the traffic you pass through there might be lots of 'TTL expired' (nearly fully originating from running traceroutes, else I'd suspect you've another more serious problem).

Running plain-IP-configuration passing 10-15gbps originating mostly from residential internet access across a 7600 I've seen a good 20% CPU coming from roughly 2000 'TTL expired's *per second*.

The ever more widespread abuse of traceroute (before someone starts arguing: yes, I call permanent use of mtr and alike for end-user pseudo-monitoring 'network abuse') is something you'll be forced into limiting to protect your network at some point in time despite the complaints of some customers not understanding the technology behind.


Marcus


> -----Ursprüngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Bob Snyder
> Gesendet: Mittwoch, 7. Oktober 2009 21:19
> An: cisco-nsp at puck.nether.net
> Betreff: Re: [c-nsp] SUP720 - 12.2(18)SXF17
> 
> On Mon, Oct 5, 2009 at 5:43 AM, Phil Mayers 
> <p.mayers at imperial.ac.uk> wrote:
> 
> > mls rate-limit all ttl-failure 100 10
> > mls rate-limit all mtu-failure 100 10
> >
> > There's no reason not to have the TTL failure rate limit 
> enabled AFAIK.
> > Choose a value appropriate to you, obviously.
> 
> One gotcha here is that busy routers will start dropping traceroute
> packets as the trace hits routers that are actively rate-limiting.
> Even through end to end traffic isn't affected, you may get user calls
> (or confused network admins) complaining about packet loss because of
> a misleading traceroute.
> 
> Still definitely a good idea, but something to consider when setting
> thresholds and managing expectations.
> 
> Bob
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list