Re: Ping and Fragment

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Tue Aug 31 2004 - 15:29:07 GMT-3

• Next message: Bill Burns: "Re: CCIE# 13836"
• Previous message: gladston@br.ibm.com: "Security Book"
• Maybe in reply to: gladston@br.ibm.com: "Ping and Fragment"
• Next in thread: gladston@br.ibm.com: "Re: Re: Ping and Fragment"
• Maybe reply: gladston@br.ibm.com: "Re: Re: Ping and Fragment"
• Maybe reply: gladston@br.ibm.com: "Re: Re: Ping and Fragment"
• Maybe reply: gladston@br.ibm.com: "Re: Re: Ping and Fragment"
• Maybe reply: Alexander Arsenyev (GU/ETL): "RE: Re: Ping and Fragment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hmmm,
you are using reflexive lists there, what about fragments ?
I would bet this is the issue... but have no time now to check.
Take your security down :-)

gladston@br.ibm.com wrote:

> =================
> quoted
> -clear counters before the test (noticed quite a bit of drops there, but also quite a bit of traffic)
> -include also the map-class (i.e. all relevant configuration)
> ================
>
> Here is the result
>
> r3#p 172.16.34.4
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
> r3#
> r3#p
> Protocol [ip]:
> Target IP address: 172.16.34.4
> Repeat count [5]:
> Datagram size [100]: 500
> Timeout in seconds [2]:
> Extended commands [n]:
> Sweep range of sizes [n]:
> Type escape sequence to abort.
> Sending 5, 500-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 76/79/80 ms
> r3#
> r3#c
> Enter configuration commands, one per line. End with CNTL/Z.
> r3(config)#int ser 0.34
> r3(config-subif)#fram
> r3(config-subif)#frame-relay c
> r3(config-subif)#frame-relay class Frame
> r3(config-subif)#
> r3#
> r3#p
> Protocol [ip]:
> Target IP address: 172.16.34.4
> Repeat count [5]:
> Datagram size [100]: 500
> Timeout in seconds [2]:
> Extended commands [n]:
> Sweep range of sizes [n]:
> Type escape sequence to abort.
> Sending 5, 500-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> r3#
> r3#s
> Building configuration...
>
> Current configuration : 3474 bytes
> !
> version 12.2
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r3
> !
> logging rate-limit console 10 except errors
> no logging console
> !
> ip subnet-zero
> no ip finger
> no ip domain-lookup
> !
> interface Loopback0
> ip address 172.16.3.3 255.255.255.0
> ip ospf network point-to-point
> !
> interface Serial0
> no ip address
> encapsulation frame-relay
> ip ospf network point-to-point
> frame-relay traffic-shaping
> frame-relay lmi-type cisco
> !
> interface Serial0.32 multipoint
> ip address 172.16.23.3 255.255.255.0
> ip ospf network point-to-point
> frame-relay map ip 172.16.23.2 302 broadcast
> !
> interface Serial0.34 multipoint
> ip address 172.16.34.3 255.255.255.0
> ip access-group Inbound in
> ip access-group Outbound out
> ip ospf network point-to-point
> frame-relay class Frame
> frame-relay map ip 172.16.34.4 304 broadcast
> !
> interface Serial1
> no ip address
> shutdown
> !
> router ospf 1
> log-adjacency-changes
> network 172.16.3.0 0.0.0.255 area 0
> network 172.16.13.0 0.0.0.255 area 0
> network 172.16.23.0 0.0.0.255 area 0
> network 172.16.34.0 0.0.0.255 area 0
> !
> ip access-list extended Inbound
> permit ospf any any
> permit icmp any any administratively-prohibited
> evaluate Evaluatewhatgoesout
> permit icmp any any
> ip access-list extended Outbound
> permit ip any any reflect Evaluatewhatgoesout
> permit icmp any any reflect Evaluatewhatgoesout
> !
> map-class frame-relay Frame
> no frame-relay adaptive-shaping
> frame-relay fair-queue
> frame-relay fragment 500
> !
> alias exec sir show ip route
> alias exec sib show ip interface brief
> alias exec s show run
> alias exec sl show logg
> alias exec c conf t
> alias exec cl clear logg
> alias exec nd no debu all
> alias exec sibs show ip bgp summary
> alias exec sb show ip bgp
> alias exec srb show run | be
> alias exec srr show run | be ^router
> alias exec sra show run | i ((^access-list)|(^ip access-list)|(^permit)|(^deny))
> alias exec srm show run | be ^((route-map)|(^match)|(^set))
> alias exec cb clear ip bgp * so
> alias exec so show ip os ne
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> transport input none
> line aux 0
> line vty 0 4
> login
> !
> end
>
> r3#
>
> Note: the reflexive list was not there before, same behavior.
>
>
> r3#sh frame-relay fragment
> interface dlci frag-type frag-size in-frag out-frag dropped-fr
> ag
> Serial0.34 304 end-to-end 500 0 10 0
>
>
> As I thought it was a platform problem, I tested on 3620. Same result:
>
> r1#p
> Protocol [ip]:
> Target IP address: 172.16.14.4
> Repeat count [5]:
> Datagram size [100]:
> Timeout in seconds [2]:
> Extended commands [n]:
> Sweep range of sizes [n]:
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.14.4, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/24 ms
> r1#
> r1#p
> Protocol [ip]:
> Target IP address: 172.16.14.4
> Repeat count [5]:
> Datagram size [100]: 600
> Timeout in seconds [2]:
> Extended commands [n]:
> Sweep range of sizes [n]:
> Type escape sequence to abort.
> Sending 5, 600-byte ICMP Echos to 172.16.14.4, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> r1#
> r1#sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) 3600 Software (C3620-JS-M), Version 12.1(5)T9, RELEASE SOFTWARE (fc1)
> TAC Support: http://www.cisco.com/tac
> Copyright (c) 1986-2001 by cisco Systems, Inc.
> Compiled Sun 24-Jun-01 15:10 by cmong
> Image text-base: 0x60008950, data-base: 0x6146A000
>
> ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (f
> c1)
>
> r1 uptime is 3 weeks, 1 day, 3 hours, 12 minutes
> System returned to ROM by reload at 13:54:00 UTC Wed Jul 7 2004
> System image file is "flash:c3620-js-mz.121-5.T9.bin"
>
> cisco 3620 (R4700) processor (revision 0x81) with 53248K/12288K bytes of memory.
> Processor board ID 26411040
> R4700 CPU at 80Mhz, Implementation 33, Rev 1.0
> Bridging software.
> X.25 software, Version 3.0.0.
> SuperLAT software (copyright 1990 by Meridian Technology Corp).
> TN3270 Emulation software.
> 1 FastEthernet/IEEE 802.3 interface(s)
> 6 Serial(sync/async) network interface(s)
> DRAM configuration is 32 bits wide with parity disabled.
> 29K bytes of non-volatile configuration memory.
> 16384K bytes of processor board System flash (Read/Write)
>
> Configuration register is 0x2102
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

• Next message: Bill Burns: "Re: CCIE# 13836"
• Previous message: gladston@br.ibm.com: "Security Book"
• Maybe in reply to: gladston@br.ibm.com: "Ping and Fragment"
• Next in thread: gladston@br.ibm.com: "Re: Re: Ping and Fragment"
• Maybe reply: gladston@br.ibm.com: "Re: Re: Ping and Fragment"
• Maybe reply: gladston@br.ibm.com: "Re: Re: Ping and Fragment"
• Maybe reply: gladston@br.ibm.com: "Re: Re: Ping and Fragment"
• Maybe reply: Alexander Arsenyev (GU/ETL): "RE: Re: Ping and Fragment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:51 GMT-3