[c-nsp] Cisco Security Advisory: Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability
Anton Kapela
tkapela at gmail.com
Sat Apr 3 20:46:41 EDT 2010
On Apr 3, 2010, at 11:43 AM, Gert Doering wrote:
> Hi,
>
> On Thu, Apr 01, 2010 at 09:15:03AM -0400, Anton Kapela wrote:
>> Yes, SXF17a (lan only, ip services) has, over the last few weeks, been
>> stable on several lab systems. The only trouble experienced so far had
>> to do with a rather slow "removal" of routes from the tcam on the pfc
>> (something like 20 prefixes/second slow);
>
> This does not sound very healthy. How can you see this slow removal?
Only occurred on ip-services + wan sxf17a, not lan-only. The way this manifested was visible two ways:
-ip rib updater chewing cpu after 'clear ip bgp *' -- but not after 'clear ip bgp * soft' -- as only deltas are shoved into rib/fib
-'sh cef line' would show a xdr flow control/window size of single-digits and/or 0, and repeated exec's of this command would reveal 20 to 30 prefixes leaving per second, i.e. 200 to 300x slower than on non-wan image.
I'll attempt to re-create this one for shits/grins,
-Tk
More information about the cisco-nsp
mailing list