Home page logo

nanog logo nanog mailing list archives

Re: Extreme + Nachi = ipfdb overflow
From: "Robert M. Enger" <enger () seka erols net>
Date: Mon, 25 Aug 2003 16:36:32 -0400

I believe the old IBM "routers" used for the NSFnet
implemented fully distributed routing tables in each line card.
At that time, the commercial router vendors were still faulting
routes in to the line cards (or central accelerator cards)
on demand.

I think the good folks at Merit, Watson and ANS
were some of the early advocates of fully distributed tables,
due in part to their analysis of samples of real-world
backbone traffic.

----- Original Message ----- 
From: "Richard A Steenbergen" <ras () e-gerbil net>
To: <jcoombs () gwi net>
Cc: <nanog () merit edu>
Sent: Monday, August 25, 2003 4:03 PM
Subject: Re: Extreme + Nachi = ipfdb overflow

On Mon, Aug 25, 2003 at 03:38:52PM -0400, Joshua Coombs wrote:

After battling Nachi and it's flood of icmp traffic, I've discovered
that it's not the Cisco gear that gets hit hard by it, it was the
Extreme gear.  Nachi generates enough 'random' traffic to flood and
subsequently thrash the ip forwarding DB on the Summit 1i we were using
so badly as to drop it from gigabit capible to barely eeking out
6mb/sec.  Before I redeploy the switch, I need to find a way to keep the
ipfdb from flodding while allowing it to be the primary carrier of
traffic.  ACLs blocking ICMP on the Extreme act too late, by the time
the cpu sees the packet to drop it, it's already horned its way into the
ipfdb.  Does anyone have any suggestions on ways to allow the switch to
participate as an L3 router while minimizing the chances of a worm
taking it out so easily again?

This affects most layer 3 switches, including Extreme, Foundry, and anyone
else who still can't figure out how to pre-generated a FIB instead of a
Fast Cache style system.

It amazes me that people still have not learned this lesson. How old is
CEF now? Then again, I suppose most of these boxes are being marketed to
Enterprises anyways. As long as there is a label that says "60Gbps", the
box looks good, and it's relatively cheap, how many of their customers are
really going to notice the first packet performance of 6Mbps before they
buy, right?

At least some of the other vendors have workarounds (lame as they might be
*coughnetaggcough*), or newer supervisors with FIBs, but I'm not aware of
anything you can do to make an L3 Barney Switch behave well under a random
dest flood.

Richard A Steenbergen <ras () e-gerbil net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]