Antonio, What happened was someone tried to Ghost using a public IP (non RFC-1918 address), server = 198.138.242.23 to ghost address= udp: 224.77.227.139:7777. When that traffic hit my switch outside of my LAN's gateway router, it flooded it with udp traffic causing a DoS situation.
"Protection" that existed but failed to protect us: ip igmp limit 1 All interfaces have: storm-control broadcast level 9.00 storm-control multicast level 1.00 storm-control unicast level 90.00 And uplinks have "switchport block multicast" Additional protections that I added after the fact: class-map match-any CLASS_Multicast_ICMP match access-group name Rate_Multicast match access-group name Rate_ICMP class-map match-any CLASS_UDP match access-group name Rate_UDP policy-map POLICY_RATE class CLASS_UDP police 5000000 375000 exceed-action drop class CLASS_Multicast_ICMP police 50000 62500 exceed-action drop class class-default police 1000000000 1000000 exceed-action drop ! ip access-list extended Rate_ICMP permit icmp any any ip access-list extended Rate_Multicast permit ip any 224.0.0.0 15.255.255.255 Extended IP access list Rate_UDP 10 permit udp any any Regards, Christina On Jul 13, 2011, at 4:23 PM, Antonio Soares wrote: > What is the address range used by ghost ? I've heard that ghost can kill a > network. But if it not using the 224.0.0.0/24 range and you have at least > "ip igmp snooping" on every switch, I don't see how this could affect the > network. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoa...@netcabo.pt > http://www.ccie18473.net > > > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Christina Klam > Sent: quarta-feira, 13 de Julho de 2011 15:11 > To: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream > > I have the same CPU problem but on a 3750. How would I add a similar > rate-limit for our ghost traffic? That command does not work on > 12.2(52)SE. > > Thank you, > Christina >> Message: 9 >> Date: Wed, 13 Jul 2011 13:59:28 +0100 >> From: Alexander Clouter <a...@digriz.org.uk> >> To: cisco-nsp@puck.nether.net >> Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream >> Message-ID: <geh0f8-ujm....@chipmunk.wormnet.eu> >> >> Antonio Soares <amsoa...@netcabo.pt> wrote: >>> >>> I have a customer with a few 3560/3750's and one 4500/SUP5 acting as the >>> core switch. >>> >>> For some reason, when a user start one multicast stream, the 4500 suffers >>> high cpu utilization and the network is affected. Only the 4500 suffers > of >>> this problem, the 3560/3750's don't have any complaints. >>> >>> I see that the 4500 is a CEF based platform and I know that IP Multicast > is >>> not supported in the CEF path. So I was expecting to have this traffic >>> switched in hardware or fast-switched. But a packet capture shows me that >>> the traffic goes to the cpu. I used this debug and output to confirm > this: >>> >>> debug platform packet all receive buffer >>> >>> show platform cpu packet buffered >>> >>> The processes that eat most of the cpu are "Cat4k Mgmt LoPri" and "Cat4k >>> Mgmt HiPri". We thought this could be a bug and we upgraded the 4500 to > the >>> latest release but the problem is exactly the same. The multicast stream > is >>> processed by the cpu. >>> >>> Anyone has seen this before ? Is this normal behavior of the 4500 ? >>> >>> Usually the multicast streams are destined to 224.x.x.x. The end users do >>> not respect the 239 rule. >>> >>> >> Sounds like the following might help: >> >> > http://www.gossamer-threads.com/lists/cisco/nsp/128799?do=post_view_threaded >> >> It's the following lines you might need: >> ---- >> mls rate-limit multicast ipv4 non-rpf 100 10 >> mls rate-limit multicast ipv4 partial 250 100 >> ---- >> >> Or something similar to them. >> >> Cheers >> >> -- >> Alexander Clouter >> .sigmonster says: I'm not tense, just terribly, terribly alert! >> > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Christina Klam Network Administrator Institute for Advanced Study Email: ck...@ias.edu Einstein Drive Telephone: 609-734-8154 Princeton, NJ 08540 Fax: 609-951-4418 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/