[rbak-nsp] Internal icmp ratelimiting?

Marcin Kuczera marcin at leon.pl
Fri Sep 16 07:57:48 EDT 2011


Mariano Juliá wrote:
> Yes, there is a hard coded policer for locally bound ICMP packets.
> 
> As a matter of fact, ICMP packets destined to any local IP address never 
> reach the XCRP, they are always handled by the input traffic card 
> regardless of whether the interface belong to that card or not. So it 
> does for most protocol keepalives although those are not ratelimited.
> 
> I took notes of the ICMP rate limit values, some are in bytes others in 
> packets per second, unfortunately I didn't write down which ones are which.
> 
> ICMP echo request 1000,1500
> ICMP echo reply 1000,1500
> Net Unreach 10,20
> Host Unreach 10,20
> port unreach 10,20
> DF unreach  1000,2000
> admin prohibited 10,20
> TTL exceed 100,200
> Net Redirect 10,20
> host redirect 10,20
> Parameter problem 10,20
> 
> If I recall correctly, one of the commands under "show card" has 
> counters for traffic dropped by this policer but I don't have access to 
> a Redback any more so I can't be more precise.

This is a copy/paste from some /// documents ;)

Rate and burst in number of packets:

Icmp echo request: rate 1000, burst 1500
Icmp echo reply: rate 1000, burst 1500
Net unreachable: rate 10, burst 20
Host unreachable: rate 10, burst 20
Port unreachable: rate 10, burst 20
DF unreachable: rate 1000, burst 2000
Admin prohibited: rate 10, burst 20
TTL exceeded: rate 100, burst 200
Net redirect: rate 10, burst 20
Host redirect: rate 10, burst 20
Parameter problem: rate 10, burst 20

Regards,
Marcin






> 
> Regards,
> 
> Mariano
> 
> On 14/09/2011 14:08, Jim Tyrrell wrote:
>> Does SEOS have some sort of control plane policing that will drop ICMP
>> packets in an MPLS environment? I have configured a vpn context but when
>> testing I'm getting packetloss when pinging the SE600 from our Cisco
>> routers. I have the following setup:
>>
>> R1 -> R2 -> SE600 -> DSL line (L2TP session)
>>
>> R1 & R2 can ping each other fine, and they can also ping the DSL line
>> with 0 packetloss, but when I ping between the Cisco and SE600 I'm
>> getting packetloss:
>>
>>
>> ping vrf test 172.16.10.3 repeat 100
>> Sending 100, 100-byte ICMP Echos to 172.16.10.3, timeout is 2 seconds:
>> !!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.! 
>>
>>
>> Success rate is 91 percent (91/100), round-trip min/avg/max = 1/1/4 ms
>>
>> It seems to be quite regular, and doesnt happen when pinging through the
>> SE600 to the DSL line so I'm thinking there is some kind of ratelimiting
>> on the SE600 itself?
>>
>> Thanks.
>>
>> Jim.
>> _______________________________________________
>> redback-nsp mailing list
>> redback-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/redback-nsp
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
> 



More information about the redback-nsp mailing list