From: Weidong Xiao (Weidong.Xiao@vi.net)
Date: Fri Feb 28 2003 - 07:07:35 GMT-3
Our 6509 IOS has been upgraded form 12.1(2)E to 12.1(13)E4. The cpu usuage is much better now, and I can issue "ip route TARGET-IP 255.255.255.255 Null 0" or turn on strict filtering without fear. Thanks for all the replies.
I sent a email to NANOG yesterday without success. I'd like to post it here, any reply will be appreciated.
"One of our servers is being DOS attacked by a flood of 100Mb/s. Most of the traffic is with spoofed source IP, like 192.168.0.0 or others in Bogon list.
I can block this kind of traffic at our border router, but the router's cpu usuage will become high.
I asked our up-stream provider to stop sending traffic like that to us. Action hasn't been taken. My question is, do they have the obligation to do that if I've asked them? Is that their duty?"
Thanks,
Weidong
> -----Original Message-----
> From: Weidong Xiao
> Sent: 25 February 2003 17:05
> To: Chuck Church; ccielab@groupstudy.com
> Subject: RE: cpu usuage high
>
>
> Thanks Chuck, you are always helpful.
>
> For the purpose to off load the 6509, I issued "ip route
> TARGET-IP 255.255.255.255 Null 0", the cpu usuage immediately
> increased by 25%. When I took that off, the cpu usuage
> immediatly droped. I should be able to draw the conclution
> that something must be wrong in the IOS. Have sheuded time to
> upgrade and I'll let you know the result.
>
> Cheers,
> Weidong
>
>
>
> > -----Original Message-----
> > From: Chuck Church [mailto:ccie8776@rochester.rr.com]
> > Sent: 24 February 2003 19:22
> > To: Weidong Xiao; ccielab@groupstudy.com
> > Subject: Re: cpu usuage high
> >
> >
> > It's a long shot, but you might want to try a newer IOS. I
> > know there were
> > some performance problems with buffers on some of the 12.1.8
> > or so versions.
> > Don't know if the problem existed in 12.1.2E. Might want to
> > try 12.1.13Ex.
> > It'll add the luxury of NBAR as well, in case you need that
> > down the road.
> >
> > Chuck Church
> > CCIE #8776, MCNE, MCSE
> >
> >
> > ----- Original Message -----
> > From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> > To: <ccielab@groupstudy.com>
> > Sent: Monday, February 24, 2003 9:33 AM
> > Subject: RE: cpu usuage high
> >
> >
> > > Thanks.
> > >
> > > "sh ip bgp flap-statistics" shows nothing. bgp connection
> is pretty
> > stable. I used bongon BGP template as well. The interface
> > didn't flap. The
> > high cpu usuage happened when income traffic suddenly
> > increased. Logs show
> > most of the traffic go to the target.
> > >
> > > br1.rtr#sh ver
> > > Cisco Internetwork Operating System Software
> > > IOS (tm) MSFC2 Software (C6MSFC2-IS-M), Version 12.1(2)E,
> > EARLY DEPLOYMENT
> > RELEASE SOFTWARE (fc
> > > 1)
> > >
> > > br1.rtr#sh run
> > > ...
> > > interface Null0
> > > no ip unreachables
> > > ...
> > >
> > > > -----Original Message-----
> > > > From: Nawaz, Ajaz [mailto:Ajaz.Nawaz@bskyb.com]
> > > > Sent: 24 February 2003 11:24
> > > > To: 'Tony Huang'; Weidong Xiao; ccielab@groupstudy.com
> > > > Subject: RE: cpu usuage high
> > > >
> > > >
> > > >
> > > > This has nothing to do with Spantree whatsover - the issues
> > > > higlighted are
> > > > related to router processes pointed out by Weidong Xiao
> > > > below. They are IP
> > > > Input and BGP Scanner.
> > > >
> > > > There is not enough information to say exactly what may be
> > > > causing this but
> > > > it could be a bug or something like BGP flap. We need to see
> > > > output from
> > > > show ver and config too for starters. If you see it again use
> > > > show ip bgp
> > > > flap-statistics. Does the high CPU follow an interface flap ?
> > > >
> > > >
> > > > ajaz
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Tony Huang [mailto:tonyh5@hotmail.com]
> > > > Sent: 24 February 2003 02:00
> > > > To: Weidong Xiao; ccielab@groupstudy.com
> > > > Subject: Re: cpu usuage high
> > > >
> > > >
> > > > Hi,
> > > > I think the frequent change of networkk status could cause
> > > > the high cup
> > > > usage because the switch needs to run spantree times. By
> > > > issuing sh spantree
> > > > statistics, you should be able to see which port has incured
> > > > the change. You
> > > > can find this by looking at the column: topology change last
> > > > recvd. from.
> > > > From there, you can keep tracing the source of problems.
> > > > Hope it helps,
> > > >
> > > > Cheers,
> > > >
> > > > Tony
> > > >
> > > > ----- Original Message -----
> > > > From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> > > > To: <ccielab@groupstudy.com>
> > > > Sent: Monday, February 24, 2003 9:34 AM
> > > > Subject: cpu usuage high
> > > >
> > > >
> > > > > Hi Group,
> > > > >
> > > > > A cat6509 is receiving about 30Mb/s traffic from the
> > > > Internet. Normally
> > > > the cpu usuage is under 10%. But for the last couple of hours
> > > > it's like
> > > > below. I am wondering what kind of traffic can be so
> > > > 'powerful', and what
> > > > does pid 19 (see below) mean. Can anyone shed some light?
> > > > >
> > > > > Thanks very much,
> > > > > Weidong
> > > > >
> > > > >
> > > > > br1.rtr#sh proc cpu
> > > > > CPU utilization for five seconds: 48%/32%; one minute: 64%;
> > > > five minutes:
> > > > 65%
> > > > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min
> > TTY Process
> > > > > ....
> > > > > 19 42728104 184864569 231 16.54% 19.07% 19.36%
> > 0 IP Input
> > > > > ....
> > > > > 66 175270476 1282394 136677 0.00% 1.39% 1.94% 0
> > > > BGP Scanner
> > > >
> > > >
> > > > .
> > > >
> > > >
> > > >
> >
> **********************************************************************
> > > > Information in this email is confidential and may be privileged.
> > > > It is intended for the addressee only. If you have received
> > > > it in error,
> > > > please notify the sender immediately and delete it from
> > your system.
> > > > You should not otherwise copy it, retransmit it or use or
> > disclose its
> > > > contents to anyone.
> > > > Thank you for your co-operation.
> > > >
> >
> **********************************************************************
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:39 GMT-3