[c-nsp] SUP720 - 12.2(18)SXF17
Jared Mauch
jared at puck.nether.net
Fri Oct 9 09:16:27 EDT 2009
I think it's important to note that there are similar limiters in
other devices, eg: Juniper m20/m40 that we've encountered over the
years.
This has caused customer confusion as they hit these, even in a fully
distributed linecard environment. The reality is unless it's done in
a low-level ASIC, it can easily turn into a security vulnerability.
Drop 5 gigs of ttl=1 traffic at a device and it will fall over unless
there is some protection. It may not even need to be as high as 5g.
There are a lot of rate-limiters available, check out 'show mls rate-
limit' on your Earl7 (76k, ie: (65|76)00) based device. Set them low
to avoid problems. I find 100/10 works well.
- Jared
On Oct 9, 2009, at 9:01 AM, Drew Weaver wrote:
> I assume you were being sarcastic when you said: " But traceroute's
> one of the killer apps for Sup720's regardless if used in 6500 or
> 7600." as we have found out that whenever the BGP Scanner process
> goes wild it totally botches trace routes. Apparently this is not an
> issue on the GSR because the line cards originate the ICMP
> unreachables but on the 6500/7600 platform the unreachables come
> from the RP (or so I'm told). Has anyone found a way to make any
> headway on cleaning up the ugly traceroute effect of BGP Scanner? I
> obviously realize that traceroutes are all but worthless as far as
> diagnostics go, but it's a "presentation" thing.
>
> thanks,
> -Drew
More information about the cisco-nsp
mailing list