Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface

2012-01-01 Thread Joe Provo 
On Sat, Dec 31, 2011 at 09:33:19PM -0800, Eric Rosenberry wrote:
> I am scratching my head here wondering if I have run into a Cisco bug, or
> somehow intended weird behavior...

Bug. I encountered less of them with foo.0/32 than foo.255/32, but 
an uphill battle to them to DTRT.

-- 
 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface

2012-01-01 Thread Jon Lewis 

On Sun, 1 Jan 2012, Mikael Abrahamsson wrote:


On Sun, 1 Jan 2012, Mohamed Touré wrote:

For "security reasons" (Smurf attacks ...) IP packets with destination of 
classfull broadcast may be filtered by your upstream security devices if 
any.


There were none of those involved in this.


Having seen IOS versions that refused to forward traffic for .255 
destinations, when the .255 was in the IGP as a /32 (even with ip 
classless in the config), I've since avoided using .0 or .255 addresses. 
It seems classful routing may be dead, but not entirely forgotten.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface

2012-01-01 Thread Mikael Abrahamsson 

On Sun, 1 Jan 2012, Mohamed Touré wrote:

For "security reasons" (Smurf attacks ...) IP packets with destination 
of classfull broadcast may be filtered by your upstream security devices 
if any.


There were none of those involved in this.

--
Mikael Abrahamssonemail: swm...@swm.pp.se___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Interpreting DOM outputs

2012-01-01 Thread Gert Doering 
Hi,

On Sat, Dec 31, 2011 at 06:10:52PM +0100, Robert Hass wrote:
> But I'm still unsure regarding my questions of understanding:
> 
> Tx Power '-4.9' better/stronger than '-6.9'
> Rx Power '-9.6' is better/stronger than '-11.2'
> 
> My above understanding is correct or incorrect ?

Correct.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpRzcXaBr4ym.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface

2012-01-01 Thread Ian Henderson 
On 01/01/2012, at 4:33 PM, Eric Rosenberry wrote:

> When pinging the loopback IP's of these devices from the Internet, one
> responds as expected (from the IP of the loopback), and the other (.255)
> responds from a *different* IP address (one of it's interface IP's rather
> than the loopback IP).

Yep, ran into this one a few years ago. Its not just ping, SNMP does it too. 
TAC support request tool is offline at the moment, so I can't look up the bug 
ID, but we eventually just made a rule to never use .255/32 for loopbacks 
(along with .0/31 and .254/31 to avoid Windows users complaining about failed 
traceroutes…).

Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface

2012-01-01 Thread Mohamed Touré 
Hi

For "security reasons" (Smurf attacks ...) IP packets with destination of
classfull broadcast may be filtered by your upstream security devices if
any.

Mohamed


On 1 January 2012 10:05, Mikael Abrahamsson  wrote:

> On Sat, 31 Dec 2011, Eric Rosenberry wrote:
>
>  Under that logic, the .254 IP on the other router is also the broadcast
>> address since it is in a /32 subnet as well...
>>
>
> For laughs I tried to use the highest and lowest address of a class B
> network as loopback addresses. Some stuff will not work if you choose the
> highest or lowest address of a classful network, in your case class C.
>
> Either you start logging cases against this so they fix the code, or if
> you value your time, don't use these addresses (.0.0 and .255.255 on
> 128.0.0.0-191.255.255.255 and .0 and .255 of 192.0.0.0-223.255.255.255).
>
> I would imagine the same problem exists with .0.0.0 and .255.255.255 in
> class A space.
>
> --
> Mikael Abrahamssonemail: swm...@swm.pp.se
>
> __**_
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/**mailman/listinfo/cisco-nsp
> archive at 
> http://puck.nether.net/**pipermail/cisco-nsp/
>



-- 
Mohamed Touré
06 38 62 99 07
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface

2012-01-01 Thread Mikael Abrahamsson 

On Sat, 31 Dec 2011, Eric Rosenberry wrote:

Under that logic, the .254 IP on the other router is also the broadcast 
address since it is in a /32 subnet as well...


For laughs I tried to use the highest and lowest address of a class B 
network as loopback addresses. Some stuff will not work if you choose the 
highest or lowest address of a classful network, in your case class C.


Either you start logging cases against this so they fix the code, or if 
you value your time, don't use these addresses (.0.0 and .255.255 on 
128.0.0.0-191.255.255.255 and .0 and .255 of 192.0.0.0-223.255.255.255).


I would imagine the same problem exists with .0.0.0 and .255.255.255 in 
class A space.


--
Mikael Abrahamssonemail: swm...@swm.pp.se
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 7609-S - RSP SUP 720 3CXL - show ibc - high packets

2012-01-01 Thread Saku Ytti 
On (2011-12-31 16:21 -0800), Josh Coleman wrote:

> I already used the debug NETDR and the packets are hitting the cpu but its
> a variety from all the customers with different source / destinations.
> There is already the mls rate limits and I have done the show
> spanning-tree for unstable incase of layer2 loops.

When encountering this type of issue, pick one unwanted packet from
software and focus on it, it'll probably fix others too. Not seeing your
unwanted packets it's pretty impossible to suggest what might be wrong.

Perhaps you have rotten adjacencies in MLS or missing completely and
packets are hitting software for ICMP generation, but software works just
fine.
So look at packet, check its mls entries and adjacencies from each pfc/dfc,
ELAM capture to see which index it's hitting etc

> mls rate-limit unicast cef receive 1 60

This is possibly worst thing you can configure to protect your router, it
is essentially downgrade of the CPU, as it starts dropping packets
indiscriminately earlier, as if you had less power to process them.

-- 
  ++ytti
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/