<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Thanks. Have you read this blog and discussion?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><a href="http://blog.ipspace.net/2014/09/ipv6-neighbor-discovery-nd-and.html">http://blog.ipspace.net/2014/09/ipv6-neighbor-discovery-nd-and.html</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><a href="http://www.ietf.org/mail-archive/web/v6ops/current/msg19877.html">http://www.ietf.org/mail-archive/web/v6ops/current/msg19877.html</a> [very long breaks into a couple of sub-threads, but worth reading]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Frank<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> foundry-nsp [mailto:foundry-nsp-bounces@puck.nether.net] <b>On Behalf Of </b>Justin Keery<br><b>Sent:</b> Wednesday, November 19, 2014 8:01 AM<br><b>To:</b> Jethro R Binks; foundry-nsp@puck.nether.net<br><b>Subject:</b> Re: [f-nsp] ANY IDEAS - IP6 multicast traffic causing severe CPU load issue (on ICX)<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>The platform is ICX - the traffic in fact passed through three models and all have the same symptoms (over 40% CPU load and occasional OSPF issues as a result)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>ICX6450, ICX6610 and ICX6650<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The ICX platform does not offer granular CPU info - it just describes all activity as "application".<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Frustratingly therefore there is no good info about what the CPU is doing - all we know is that there's IP6 multicast traffic, and when we shut the port down the CPU load goes back to normal :-(<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><b>All we want to do is pass through and not process the traffic. No snooping, no CPU processing at all.</b><br clear=all><o:p></o:p></p><div><div><div><div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif'>The continued suggestions are much appreciated!<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Arial",sans-serif'>Thanks!<o:p></o:p></span></p></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On 19 November 2014 13:34, Jethro R Binks <<a href="mailto:jethro.binks@strath.ac.uk" target="_blank">jethro.binks@strath.ac.uk</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>Can you get more details on what in particular in cpu it is doing? "sh<br>cpu detail" or "sh proc cpu" for example (can't remember which are<br>supported on whic platform)?<br><br>Jethro.<br><br><br><br>On Wed, 19 Nov 2014, Justin Keery wrote:<br><br>> *Suggestion from Ronald and Rajesh THANKS- more comments below*<br>><br>> *From Ronald:* Take a look at these:<br>> <a href="http://www.brocade.com/downloads/documents/product_manuals/B_FastIron/FastIron_08000a_MulticastGuide.pdf" target="_blank">http://www.brocade.com/downloads/documents/product_manuals/B_FastIron/FastIron_08000a_MulticastGuide.pdf</a><br>><br>><br>> *That's definitely better documentation than I've found before, thanks a<br>> lot.We did put in commands to disable multicast IGMP (v4) and MLD (v6)<br>> snooping.*<br>> *It seems not to have worked - Is there something else we're missing?*<br>><br>> vlan 682 by port<br>> tagged ethe 1/2/1 to 1/2/3<br>> multicast disable-igmp-snoop <- did not help<br>> multicast6 disable-mld-snoop <- did not help<br>><br>><br>> *Rajesh: *"If you have genuine multicast traffic in your network then you<br>> can apply Broadcast and multicast limit on the up links. Else stop the<br>> cast by ACL."<br>><br>> The granularity seems to be that we can't set a limit of less than<br>> 64Mbit/sec (traffic is less than that). We tried to block IP6 altogether<br>> via ACL - no effect.<br>><br>> *Is it possible that we need to remove/rebuild the VLAN or disable/enable<br>> the interface before the Multicast or ACL settings will take effect?*<br>><br>> *Is there some way to simply forward the multicast traffic as layer 2 and<br>> force the CPU to ignore it, which is what we want!*<br>><br>><br>> On 19 November 2014 12:31, Ronald Esveld <<a href="mailto:ronald.esveld@qi.nl">ronald.esveld@qi.nl</a>> wrote:<br>><br>> > Hi Justin,<br>> ><br>> ><br>> ><br>> > Take a look at these:<br>> > <a href="http://www.brocade.com/downloads/documents/product_manuals/B_FastIron/FastIron_08000a_MulticastGuide.pdf" target="_blank">http://www.brocade.com/downloads/documents/product_manuals/B_FastIron/FastIron_08000a_MulticastGuide.pdf</a><br>> ><br>> ><br>> ><br>> > This one helps out.<br>> ><br>> > Ronald<br>> ><br>> ><br>> ><br>> > *Van:* foundry-nsp [mailto:<a href="mailto:foundry-nsp-bounces@puck.nether.net">foundry-nsp-bounces@puck.nether.net</a>] *Namens *Justin<br>> > Keery<br>> > *Verzonden:* woensdag 19 november 2014 11:04<br>> > *Aan:* <a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br>> > *Onderwerp:* [f-nsp] ANY IDEAS - IP6 multicast traffic causing severe CPU<br>> > load issue (on ICX)<br>> ><br>> ><br>> ><br>> ><br>> > Hi folks, any ideas about this?<br>> ><br>> > The switches affected by this include ICX6540, 6610 and 6650 all of which<br>> > were involved in transporting the VLAN described below.<br>> ><br>> > IP6 multcast traffic (less than 20Mbit/sec, discovered with wireshark on a<br>> > mirror port) on VLAN682 was causing >40% CPU load on all switches where<br>> > this VLAN was configured, even though there is no IP virtual interface in<br>> > this VLAN. At one point there was a brief but serious OSPF failure whilst<br>> > this condition was present.<br>> ><br>> > With the ingress port shut down the CPU load returned to 1%.<br>> ><br>> > We tried to disable IP4 and IP6 igmp / mld snooping, this had no effect.<br>> > We then added a router-interface so we could add an IP6 ACL to filter *all*<br>> > IP6 traffic - again no effect<br>> ><br>> > vlan 682 name KARMARAMA_L2_ONEA809159_682 by port<br>> > tagged ethe 1/2/1 to 1/2/3<br>> > router-interface ve 682 <- added later so we could implement an ACL<br>> > multicast disable-igmp-snoop <- did not help<br>> > multicast6 disable-mld-snoop <- did not help<br>> ><br>> ><br>> ><br>> > *We need a way to make sure that IP6 multicasts on a VLAN won't overload<br>> > the CPU on any switch with that VLAN present - ideally filter that VLAN<br>> > from the CPU altogether!*<br>> ><br>> ><br>> ><br>> > Any ideas?<br>> ><br>> ><br>> ><br>> > Thanks<br>> ><br>> ><br>> ><br>> > Justin<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Met vriendelijke groet, With kind regards,<br>> ><br>> > [image: <a href="http://www.qi.nl" target="_blank">http://www.qi.nl</a>]<br>> ><br>> > Ronald Esveld<br>> > senior network engineer<br>> ><br>> > *Qi ict*<br>> > Delftechpark 35-37<br>> > Postbus 402, 2600 AK Delft<br>> ><br>> > T : <a href="tel:%2B31%2015%20888%200%20444">+31 15 888 0 444</a> F : <a href="tel:%2B31%2015%20888%200%20445">+31 15 888 0 445</a> E : <a href="mailto:ronald.esveld@qi.nl">ronald.esveld@qi.nl</a> I :<br>> > <a href="http://www.qi.nl" target="_blank">http://www.qi.nl</a><br>> ><br>> > Qi ict neemt strategisch belang in INOVATIV<br>> > <<a href="https://www.qi.nl/actueel/qi-ict-neemt-strategisch-belang-in-inovativ" target="_blank">https://www.qi.nl/actueel/qi-ict-neemt-strategisch-belang-in-inovativ</a>><br>> ><br>> ><br>> ><br>><br><br>. . . . . . . . . . . . . . . . . . . . . . . . .<br>Jethro R Binks, Network Manager,<br>Information Services Directorate, University Of Strathclyde, Glasgow, UK<br><br>The University of Strathclyde is a charitable body, registered in<br>Scotland, number SC015263.<br>_______________________________________________<br>foundry-nsp mailing list<br><a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br><a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" target="_blank">http://puck.nether.net/mailman/listinfo/foundry-nsp</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>