[c-nsp] Cat4500 High CPU with Multicast Stream

Christina Klam cklam at ias.edu
Thu Jul 14 13:12:49 EDT 2011 

Antonio,
What happened was someone tried to Ghost using a public IP (non RFC-1918 address), server = 198.138.242.23 to ghost address= udp: 224.77.227.139:7777.  When that traffic hit my switch outside of my LAN's gateway router, it flooded it with udp traffic causing a DoS situation.  

"Protection" that existed but failed to protect us: 
ip igmp limit 1

All interfaces have:
 storm-control broadcast level 9.00
 storm-control multicast level 1.00
 storm-control unicast level 90.00

And uplinks have  "switchport block multicast"

Additional protections that I added after the fact:  
class-map match-any CLASS_Multicast_ICMP
 match access-group name Rate_Multicast
 match access-group name Rate_ICMP
class-map match-any CLASS_UDP
 match access-group name Rate_UDP

policy-map POLICY_RATE
 class CLASS_UDP
  police 5000000 375000 exceed-action drop
 class CLASS_Multicast_ICMP
  police 50000 62500 exceed-action drop
 class class-default
  police 1000000000 1000000 exceed-action drop
!
ip access-list extended Rate_ICMP
 permit icmp any any
ip access-list extended Rate_Multicast
permit ip any 224.0.0.0 15.255.255.255
Extended IP access list Rate_UDP
    10 permit udp any any

Regards,
Christina

On Jul 13, 2011, at 4:23 PM, Antonio Soares wrote:

> What is the address range used by ghost ? I've heard that ghost can kill a
> network. But if it not using the 224.0.0.0/24 range and you have at least
> "ip igmp snooping" on every switch, I don't see how this could affect the
> network.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
> http://www.ccie18473.net
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christina Klam
> Sent: quarta-feira, 13 de Julho de 2011 15:11
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream
> 
> I have the same CPU problem but on a 3750.  How would I add a similar
> rate-limit for our ghost traffic?  That command does not work on
> 12.2(52)SE.
> 
> Thank you,
> Christina          
>>            Message: 9
>> Date: Wed, 13 Jul 2011 13:59:28 +0100
>> From: Alexander Clouter <alex at digriz.org.uk>
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream
>> Message-ID: <geh0f8-ujm.ln1 at chipmunk.wormnet.eu>
>> 
>> Antonio Soares <amsoares at netcabo.pt> wrote:
>>> 
>>> I have a customer with a few 3560/3750's and one 4500/SUP5 acting as the
>>> core switch.
>>> 
>>> For some reason, when a user start one multicast stream, the 4500 suffers
>>> high cpu utilization and the network is affected. Only the 4500 suffers
> of
>>> this problem, the 3560/3750's don't have any complaints.
>>> 
>>> I see that the 4500 is a CEF based platform and I know that IP Multicast
> is
>>> not supported in the CEF path. So I was expecting to have this traffic
>>> switched in hardware or fast-switched. But a packet capture shows me that
>>> the traffic goes to the cpu. I used this debug and output to confirm
> this:
>>> 
>>> debug platform packet all receive buffer
>>> 
>>> show platform cpu packet buffered
>>> 
>>> The processes that eat most of the cpu are "Cat4k Mgmt LoPri" and "Cat4k
>>> Mgmt HiPri". We thought this could be a bug and we upgraded the 4500 to
> the
>>> latest release but the problem is exactly the same. The multicast stream
> is
>>> processed by the cpu.
>>> 
>>> Anyone has seen this before ? Is this normal behavior of the 4500 ?
>>> 
>>> Usually the multicast streams are destined to 224.x.x.x. The end users do
>>> not respect the 239 rule.
>>> 
>>> 
>> Sounds like the following might help:
>> 
>> 
> http://www.gossamer-threads.com/lists/cisco/nsp/128799?do=post_view_threaded
>> 
>> It's the following lines you might need:
>> ----
>> mls rate-limit multicast ipv4 non-rpf 100 10
>> mls rate-limit multicast ipv4 partial 250 100
>> ----
>> 
>> Or something similar to them.
>> 
>> Cheers
>> 
>> -- 
>> Alexander Clouter
>> .sigmonster says: I'm not tense, just terribly, terribly alert!
>> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

Christina Klam
Network Administrator
Institute for Advanced Study
Email:  cklam at ias.edu

Einstein Drive          Telephone: 609-734-8154
Princeton, NJ 08540     Fax:  609-951-4418

More information about the cisco-nsp mailing list