[c-nsp] OSPF flapping ME3400
Lee Starnes
lee.t.starnes at gmail.com
Wed Dec 9 00:17:00 EST 2015
Thanks Lukas.
We are running SDM default. The attacks are to IPs that are routed by the
switch but are on the other end of the ethernet link to the client. No
attack on the switch itself. As to TCAM warnings, would not have any in the
logs at this time. This took place last a couple weeks ago and was more
interested in blocking the traffic that was causing the problem at the
time. Since the traffic was 800Kpps I suspect it was just too much for the
switch to deal with. I will have to see what shows up in the logs for TCAM
issues and processes next time.
While we have since put rate limits in at the all our core routers, I
suspect this will help prevent this from happening as often. Just wondered
if there was a best practice on dampening the flaps should that happen.
show sdm prefer
The current template is "default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
Best regards,
-Lee
On Tue, Dec 8, 2015 at 1:56 AM, Lukas Tribus <luky-37 at hotmail.com> wrote:
> Hi!
>
>
> > Hello everyone,
> >
> > We have some ME3400 switches that are doing OSPF. These work fine and
> have
> > for a couple years now. However, if a link on them (100M) gets hit with a
> > ddos attack, the switch will start OSPF flapping. This in turn causes all
> > the others to do the same. Is there a way to dampen the flapping affect
> so
> > that it does not cause a massive network outage?
>
> Does the DDoS target a customer routed by this ME3400 or does the DDoS
> target the ME3400 itself?
>
> Do you have "show proc cpuc sort" from the DoS and in normal production?
>
>
> Honestly, this sounds like the ME3400 would route in software. Any TCAM
> warnings in the log? Do you use the correct sdm template?
>
> Provide outputs:
> show proc cpuc sort
> show ip route summary
> show log | inc TCAM
> show sdm prefer
>
>
> In case the SDM template is layer 2, switch to "default":
>
>
> http://www.cisco.com/c/en/us/td/docs/switches/metro/me3400/software/release/12-2_55_se/configuration/guide/ME3400_scg/swsdm.html
>
>
>
> Regards,
>
> Lukas
>
>
>
>
More information about the cisco-nsp
mailing list