Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries
> I've been testing workarounds based upon filtering the incoming MLD > query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco > 6500 w. SUP720-3B running 15.1(2)SY). Control Plane Policing is probably the way to address this (in case MLD cannot be properly disabled, I mean). > Bizarrely, one way of making the 6500 stop responding to MLD queries > seems to be to send 3000 pps of queries towards it for about 100 seconds, > around which point it will stop responding to any more until a chassis reload. Huh, that is a very ciscoesque way to workaround this. Don't tell 'em; they may document this "workaround" ;) cheers, lukas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries
Hi, On Wed, Jan 25, 2017 at 06:35:19PM +, James A. T. Rice wrote: > Hi Folks, > > I'm trying to gather information on how to disable MLD reports for various > Cisco devices in use at IXPs - where MLD queries and reports are often both > prohibited traffic. > > There doesn't seem to be a configuration line to disable replying to MLD > queries with MLD reports. from the top of my head "no ipv6 mld join-group" should achieve that (whereas "no ipv6 mld router" disables the querier side of things). have you tried that (the former)? A while ago a bunch of guys (incl. myself) tried to suggest an "RA guard" similar thing called "MLD guard" but the draft never gained much ground. [see https://www.ietf.org/archive/id/draft-vyncke-pim-mld-security-01.txt] So an ACL like the one you suggested below actually is the best/only way to go when it comes to filtering. best Enno > > I've been testing workarounds based upon filtering the incoming MLD query, on > a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco 6500 w. SUP720-3B > running 15.1(2)SY). > > Using the following ACL: > > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface > ipv6 traffic-filter v6-denymldquery-in in > > works on both the 4500 and 6500, when applied to the SVI/L3 interface. > However, on the 4500 when applied to the SVI/L3 interface this gets processed > in CPU. It's better to use an SVI, and have the ACL applied on the L2 port, > or in a VLAN map, in which case the traffic is filtered in hardware. > Conversely, on the 6500, it appears better to not use an SVI, since with a L3 > port the SP CPU isn't hit. I've not found a way to filter the traffic such > that it doesn't hit the RP CPU. > Configuration lines from after write erase, reload, for each test case, are > in the attached file, in case anyone would like to repeat this. > > prevents MLD responses[a] SVI/L3 ACL [b] L2 port ACL [c] VLAN map ACL > / cpu@3kpps > [1] 4500 L3 port yes n/a no > 60%cpu > [2] 4500 SVI + L2 access yes yes yes > 60%cpu 0%cpu0%cpu > [3] 4500 SVI + L2 trunk yes yes yes > 60%cpu 0%cpu0%cpu > [4] 6500 L3 port yes n/a n/a > 20%rp 0%sp > [5] 6500 SVI + L2 access yes no no > 20%rp 40%sp > [6] 6500 SVI + L3 trunk yes no no > 20%rp 40%sp > > > Does anyone have any better configurations for blocking MLD queries (i.e. on > the 6500 is there a way to make it process the ACL in HW, thus not affect RP > or the SP CPU)? > > Does anyone have any configurations for the best way of stopping MLD > responses on other platforms, and whether it's possible for these to be > applied entirely in hardware? I don't have any more platforms to test on, but > ASR1K/ASR9K both seem to be popular peering platforms, and 7201 isn't unheard > of. > > Bizarrely, one way of making the 6500 stop responding to MLD queries seems to > be to send 3000 pps of queries towards it for about 100 seconds, around which > point it will stop responding to any more until a chassis reload. > > Thanks > James Rice > Jump Networks Ltd. > prevents MLD responses [a] SVI/L3 ACL [b] L2 port ACL [c] VLAN map ACL > / cpu@3kpps > [1] 4500 L3 port yes n/a no > 60%cpu > [2] 4500 SVI + L2 access yes yes yes > 60%cpu 0%cpu0%cpu > [3] 4500 SVI + L2 trunkyes yes yes > 60%cpu 0%cpu0%cpu > [4] 6500 L3 port yes n/a n/a > 20%rp 0%sp > [5] 6500 SVI + L2 access yes no no > 20%rp 40%sp > [6] 6500 SVI + L3 trunkyes no no > 20%rp 40%sp > > > > [1] 4500 with L3 port > ipv6 unicast-routing > int g1/48 > no switchport > no ip redirects > no ip unreachables > no ip proxy-arp > ipv6 address 2001:DB8:4:1::22EF:2/64 > ipv6 nd ra suppress all > no ipv6 redirects > no ipv6 unreachables > no cdp enable > [1.a] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface g1/48 > ipv6 traffic-filter v6-denymldquery-in in > [1.c] > do show vlan internal usage > ipv6 access-list match-mld-query > permit icmp any host ff02::1 mld-query > vlan access-map drop-mld-query > match ipv6 address match-mld-query > action drop > vlan filter drop-mld-query vlan-list 1006 > > [2] 4500 with SVI + access port > ipv6
Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries
On 26/01/17 08:18, Lukas Tribus wrote: I've been testing workarounds based upon filtering the incoming MLD query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco 6500 w. SUP720-3B running 15.1(2)SY). Control Plane Policing is probably the way to address this (in case MLD cannot be properly disabled, I mean). Worth noting that CoPP on sup720 is done in software for multicast and broadcast. I assume it'll come before MLD processing so would stop the queries arriving and thus replies being sent, but worth testing. Although this is not the use-case OP has, we have tried and failed to protect a sup720 from an MLD storm with CoPP. The puny CPU and software CoPP just didn't help. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries
On 26 January 2017 at 13:54, Phil Mayers wrote: Hey, > Worth noting that CoPP on sup720 is done in software for multicast and > broadcast. I assume it'll come before MLD processing so would stop the > queries arriving and thus replies being sent, but worth testing. > > Although this is not the use-case OP has, we have tried and failed to > protect a sup720 from an MLD storm with CoPP. The puny CPU and software CoPP > just didn't help. If you do not allow MCAST on CoPP, you will software process. If you allow MCAST in CoPP and MLS rate-limit, you can drop them in HW. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries
On 26/01/2017 16:08, Saku Ytti wrote: On 26 January 2017 at 13:54, Phil Mayers wrote: Hey, Worth noting that CoPP on sup720 is done in software for multicast and broadcast. I assume it'll come before MLD processing so would stop the queries arriving and thus replies being sent, but worth testing. Although this is not the use-case OP has, we have tried and failed to protect a sup720 from an MLD storm with CoPP. The puny CPU and software CoPP just didn't help. If you do not allow MCAST on CoPP, you will software process. If you allow MCAST in CoPP and MLS rate-limit, you can drop them in HW. Box-wide though, right? No way to only do this on the IXP interface with MLS RL. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries
On 26 January 2017 at 18:41, Phil Mayers wrote: > Box-wide though, right? No way to only do this on the IXP interface with MLS > RL. Unfortunately no. I guess per DFC should be possible, unsure if it's supported. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 93108TC-EX Breakout Support
This is the second generation 10 gig copper leaf switch with 100 gig uplinks. The first generation did not support 40 gig x 10 SFP+ breakouts on the uplinks. I believe this Generation 2 version does - (you can run the 100's at 40, and the 40's should support breakouts) I have looked at the switch documentation - which points to the 9k breakout document - which DOES not include the generation 2 EX switches. So I cannot find any doc that says it is supported - including the cisco live PDF's. Any insight would be greatly appreciated. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 6500 with SIP-400 ?
Hi i have installed a 7600-SIP-400 into a 6500 with SUP720-3BXL, the router see the SIP card Mod Ports Card Type Model Serial No. --- - -- -- --- 12 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAD100100AU 20 4-subslot SPA Interface Processor-400 7600-SIP-400 SAL1544U24H 3 16 SFM-capable 16 port 1000mb GBICWS-X6516-GBIC SAD060303M0 but for SPA: Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 1 Policy Feature Card 3 WS-F6K-PFC3BXL SAD094606KV 1.6Ok 1 MSFC3 Daughterboard WS-SUP720 SAD095205RF 2.3Ok 2/0 2xGE SPASPA-2X1GE-V2 SAL1925HGJ0 1.2 OutSrvc anyone can why we have a "OutSrvc" status ? and we have add this card for support PPPoE/VPDN, anyone use this card for this ? thanks Olivier ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 93108TC-EX Breakout Support
Hi Nick, please see inline below: At 02:47 PM 1/26/2017 Thursday, Nick Cutting quipped: This is the second generation 10 gig copper leaf switch with 100 gig uplinks. The first generation did not support 40 gig x 10 SFP+ breakouts on the uplinks. I believe this Generation 2 version does - (you can run the 100's at 40, and the 40's should support breakouts) I have looked at the switch documentation - which points to the 9k breakout document - which DOES not include the generation 2 EX switches. So I cannot find any doc that says it is supported - including the cisco live PDF's. Any insight would be greatly appreciated. It is supported: 93108tc-ex-1# sh mod 1 | eg TC 154 48x10GT + 6x40G/100G Ethernet Module N9K-C93108TC-EX active 93108tc-ex-1# sh ver | eg NXOS: NXOS: version 7.0(3)I5(1) 93108tc-ex-1# sh int e1/49-54 cap | eg -i ^eth|break|speed Ethernet1/49 Speed: 1000,1,25000,4,5,10 Breakout capable: yes Ethernet1/50 Speed: 1000,1,25000,4,5,10 Breakout capable: yes Ethernet1/51 Speed: 1000,1,25000,4,5,10 Breakout capable: yes Ethernet1/52 Speed: 1000,1,25000,4,5,10 Breakout capable: yes Ethernet1/53 Speed: 1000,1,25000,4,5,10 Breakout capable: yes Ethernet1/54 Speed: 1000,1,25000,4,5,10 Breakout capable: yes 93108tc-ex-1# You can find that (buried) in the NXOS release notes here: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/release/notes/70342_nxos_rn.html Search for "breakout cable". Hope that helps, Tim Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstev...@cisco.com Routing & Switching CCIE #5561 Distinguished Engineer, Technical Marketing Data Center Switching Cisco - http://www.cisco.com +1(408)526-6759 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6500 with SIP-400 ?
Hi, On Fri, Jan 27, 2017 at 01:12:07AM +0100, Olivier CALVANO wrote: > anyone can why we have a "OutSrvc" status ? I'd expect the router to log something at card insertion time that clarifies why it isn't liking the SPA - hardware revision, wrong software version (no _wan?), etc. -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
