What interfaces do you have ? Remember that 1% of 10GB is 100Mbps which is enough to kill the switch CPU.
Also in your QoS config, be careful because the UDP Class takes precedence over the Multicast Class. So maybe you are not policing as you like. You should change the order, first the Multicast Class, then the UDP Class. policy-map POLICY_RATE class CLASS_UDP police 5000000 375000 exceed-action drop class CLASS_Multicast_ICMP police 50000 62500 exceed-action drop class class-default police 1000000000 1000000 exceed-action drop ! Regards, Antonio Soares, CCIE #18473 (R&S/SP) <mailto:amsoa...@netcabo.pt> amsoa...@netcabo.pt <http://www.ccie18473.net> http://www.ccie18473.net From: Christina Klam [mailto:ck...@ias.edu] Sent: quinta-feira, 14 de Julho de 2011 18:13 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream Antonio, What happened was someone tried to Ghost using a public IP (non RFC-1918 address), server = 198.138.242.23 to ghost address= udp: 224.77.227.139:7777. When that traffic hit my switch outside of my LAN's gateway router, it flooded it with udp traffic causing a DoS situation. "Protection" that existed but failed to protect us: ip igmp limit 1 All interfaces have: storm-control broadcast level 9.00 storm-control multicast level 1.00 storm-control unicast level 90.00 And uplinks have "switchport block multicast" Additional protections that I added after the fact: class-map match-any CLASS_Multicast_ICMP match access-group name Rate_Multicast match access-group name Rate_ICMP class-map match-any CLASS_UDP match access-group name Rate_UDP policy-map POLICY_RATE class CLASS_UDP police 5000000 375000 exceed-action drop class CLASS_Multicast_ICMP police 50000 62500 exceed-action drop class class-default police 1000000000 1000000 exceed-action drop ! ip access-list extended Rate_ICMP permit icmp any any ip access-list extended Rate_Multicast permit ip any 224.0.0.0 15.255.255.255 Extended IP access list Rate_UDP 10 permit udp any any Regards, Christina On Jul 13, 2011, at 4:23 PM, Antonio Soares wrote: What is the address range used by ghost ? I've heard that ghost can kill a network. But if it not using the 224.0.0.0/24 range and you have at least "ip igmp snooping" on every switch, I don't see how this could affect the network. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoa...@netcabo.pt http://www.ccie18473.net -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Christina Klam Sent: quarta-feira, 13 de Julho de 2011 15:11 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream I have the same CPU problem but on a 3750. How would I add a similar rate-limit for our ghost traffic? That command does not work on 12.2(52)SE. Thank you, Christina Message: 9 Date: Wed, 13 Jul 2011 13:59:28 +0100 From: Alexander Clouter <a...@digriz.org.uk> To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream Message-ID: <geh0f8-ujm....@chipmunk.wormnet.eu> Antonio Soares <amsoa...@netcabo.pt> wrote: I have a customer with a few 3560/3750's and one 4500/SUP5 acting as the core switch. For some reason, when a user start one multicast stream, the 4500 suffers high cpu utilization and the network is affected. Only the 4500 suffers of this problem, the 3560/3750's don't have any complaints. I see that the 4500 is a CEF based platform and I know that IP Multicast is not supported in the CEF path. So I was expecting to have this traffic switched in hardware or fast-switched. But a packet capture shows me that the traffic goes to the cpu. I used this debug and output to confirm this: debug platform packet all receive buffer show platform cpu packet buffered The processes that eat most of the cpu are "Cat4k Mgmt LoPri" and "Cat4k Mgmt HiPri". We thought this could be a bug and we upgraded the 4500 to the latest release but the problem is exactly the same. The multicast stream is processed by the cpu. Anyone has seen this before ? Is this normal behavior of the 4500 ? Usually the multicast streams are destined to 224.x.x.x. The end users do not respect the 239 rule. Sounds like the following might help: http://www.gossamer-threads.com/lists/cisco/nsp/128799?do=post_view_threaded It's the following lines you might need: ---- mls rate-limit multicast ipv4 non-rpf 100 10 mls rate-limit multicast ipv4 partial 250 100 ---- Or something similar to them. Cheers -- Alexander Clouter .sigmonster says: I'm not tense, just terribly, terribly alert! _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Christina Klam Network Administrator Institute for Advanced Study Email: ck...@ias.edu Einstein Drive Telephone: 609-734-8154 Princeton, NJ 08540 Fax: 609-951-4418 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/