So, the choice is to go from dCEF to CEF or to not block the 92 byte packets at all....anyone have an idea as to which is the better route to take..? - Richard On Fri, 12 Sep 2003 10:59:54 -0700 "Matt Ploessel" <matt.ploessel@foundstone.com> wrote:
See http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
The policy-routing solutions works great in small routers (26xx, 17xx)
and in 7200s. In 7500s it seems OK *UNLESS* dCEF is enabled, then it does what you saw. I'm assuming it's dropping 92-byte TCP packets as well as the ICMP echoes. You can see 1-packet flows of mail getting dropped.
Notice that the workaround cannot be used on GSRs because it causes packets to be punted to the CPU... this is as bad a news as that it doesn't work right on dCEF because we use GSRs or 7500s with dCEF where the network is really busy.
- Matt Ploessel
-----Original Message----- From: Richard J.Sears [mailto:rsears@adnc.com] Sent: Friday, September 12, 2003 10:43 AM To: Nanog Subject: 92 Byte ICMP Blocking Problem
We started blocking 92 Byte ICMP packets on our ingress points on our core backbone routers.
This was a recommendation from Cisco to help mitigate the effects of the Nachi worm.
Since then, we have been hammered with customer complaints concerning the inability to talk to mail servers and ssh to their servers, as well as other weird network issues, all centering around the time we started blocking 92 Byte ICMP packets.
Has anyone else seen this, and if so, is the only resolution to stop the blockage of 92 Byte ICMP Packets..?
Thanks
Richard
****************************************** Richard J. Sears Vice President American Digital Network ---------------------------------------------------- rsears@adnc.com http://www.adnc.com ---------------------------------------------------- 858.576.4272 - Phone 858.427.2401 - Fax ---------------------------------------------------- I fly because it releases my mind from the tyranny of petty things . . "Work like you don't need the money, love like you've never been hurt and dance like you do when nobody's watching."
participants (1)
-
Richard J.Sears