[c-nsp] Cat4500 High CPU with Multicast Stream

Antonio Soares amsoares at netcabo.pt
Thu Jul 14 13:52:02 EDT 2011 

What interfaces do you have ? Remember that 1% of 10GB is 100Mbps which is
enough to kill the switch CPU.

 

Also in your QoS config, be careful because the UDP Class takes precedence
over the Multicast Class. So maybe you are not policing as you like. You
should change the order, first the Multicast Class, then the UDP Class.

 

policy-map POLICY_RATE

class CLASS_UDP

  police 5000000 375000 exceed-action drop

class CLASS_Multicast_ICMP

  police 50000 62500 exceed-action drop

class class-default

  police 1000000000 1000000 exceed-action drop

!

 

 

Regards,

 

Antonio Soares, CCIE #18473 (R&S/SP)
 <mailto:amsoares at netcabo.pt> amsoares at netcabo.pt

 <http://www.ccie18473.net> http://www.ccie18473.net

 

 

From: Christina Klam [mailto:cklam at ias.edu] 
Sent: quinta-feira, 14 de Julho de 2011 18:13
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream

 

Antonio,

What happened was someone tried to Ghost using a public IP (non RFC-1918
address), server = 198.138.242.23 to ghost address= udp:
224.77.227.139:7777.  When that traffic hit my switch outside of my LAN's
gateway router, it flooded it with udp traffic causing a DoS situation.  

 

"Protection" that existed but failed to protect us: 

ip igmp limit 1

 

All interfaces have:

 storm-control broadcast level 9.00

 storm-control multicast level 1.00

 storm-control unicast level 90.00

 

And uplinks have  "switchport block multicast"

 

Additional protections that I added after the fact:  

class-map match-any CLASS_Multicast_ICMP

 match access-group name Rate_Multicast

 match access-group name Rate_ICMP

class-map match-any CLASS_UDP

 match access-group name Rate_UDP

 

policy-map POLICY_RATE

 class CLASS_UDP

  police 5000000 375000 exceed-action drop

 class CLASS_Multicast_ICMP

  police 50000 62500 exceed-action drop

 class class-default

  police 1000000000 1000000 exceed-action drop

!

ip access-list extended Rate_ICMP

 permit icmp any any

ip access-list extended Rate_Multicast

permit ip any 224.0.0.0 15.255.255.255

Extended IP access list Rate_UDP

    10 permit udp any any

 

Regards,

Christina

 

On Jul 13, 2011, at 4:23 PM, Antonio Soares wrote:





What is the address range used by ghost ? I've heard that ghost can kill a
network. But if it not using the 224.0.0.0/24 range and you have at least
"ip igmp snooping" on every switch, I don't see how this could affect the
network.

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christina Klam
Sent: quarta-feira, 13 de Julho de 2011 15:11
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream

I have the same CPU problem but on a 3750.  How would I add a similar
rate-limit for our ghost traffic?  That command does not work on
12.2(52)SE.

Thank you,
Christina          



           Message: 9

Date: Wed, 13 Jul 2011 13:59:28 +0100

From: Alexander Clouter <alex at digriz.org.uk>

To: cisco-nsp at puck.nether.net

Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream

Message-ID: <geh0f8-ujm.ln1 at chipmunk.wormnet.eu>

 

Antonio Soares <amsoares at netcabo.pt> wrote:

 

I have a customer with a few 3560/3750's and one 4500/SUP5 acting as the

core switch.

 

For some reason, when a user start one multicast stream, the 4500 suffers

high cpu utilization and the network is affected. Only the 4500 suffers

of



this problem, the 3560/3750's don't have any complaints.

 

I see that the 4500 is a CEF based platform and I know that IP Multicast

is



not supported in the CEF path. So I was expecting to have this traffic

switched in hardware or fast-switched. But a packet capture shows me that

the traffic goes to the cpu. I used this debug and output to confirm

this:



 

debug platform packet all receive buffer

 

show platform cpu packet buffered

 

The processes that eat most of the cpu are "Cat4k Mgmt LoPri" and "Cat4k

Mgmt HiPri". We thought this could be a bug and we upgraded the 4500 to

the



latest release but the problem is exactly the same. The multicast stream

is



processed by the cpu.

 

Anyone has seen this before ? Is this normal behavior of the 4500 ?

 

Usually the multicast streams are destined to 224.x.x.x. The end users do

not respect the 239 rule.

 

 

Sounds like the following might help:

 

 

http://www.gossamer-threads.com/lists/cisco/nsp/128799?do=post_view_threaded



 

It's the following lines you might need:

----

mls rate-limit multicast ipv4 non-rpf 100 10

mls rate-limit multicast ipv4 partial 250 100

----

 

Or something similar to them.

 

Cheers

 

-- 

Alexander Clouter

.sigmonster says: I'm not tense, just terribly, terribly alert!

 







_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 

Christina Klam

Network Administrator
Institute for Advanced Study
Email:  cklam at ias.edu

Einstein Drive          Telephone: 609-734-8154
Princeton, NJ 08540     Fax:  609-951-4418

More information about the cisco-nsp mailing list