Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)? They sure don't like this traffic one bit. It causes them to not only drop traffic, but spew out every available error message under the sun... Extreme are apparently assembling an "advisory TAC" on this, from our point of view, since we use the devices to do l3 aggregation (for colo and such) we've used an ACL to try and combat the offending traffic, but its not doing much good..... -- Email Disclaimer can be viewed at: http://www.netscalibur.co.uk/email.html --
Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)? They sure don't like this traffic one bit. It causes them to not only drop traffic, but spew out every available error message under the sun...
Extreme are apparently assembling an "advisory TAC" on this, from our point of view, since we use the devices to do l3 aggregation (for colo and such) we've used an ACL to try and combat the offending traffic, but its not doing much good.....
Do you have MCAST enabled on these switches? I'd guess this is what is causing issues on the extreme boxes. -- Neil J. McRae - Alive and Kicking neil@DOMINO.ORG
On Sat, 25 Jan 2003, Neil J. McRae wrote:
Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)? They sure don't like this traffic one bit. It causes them to not only drop traffic, but spew out every available error message under the sun...
Extreme are apparently assembling an "advisory TAC" on this, from our point of view, since we use the devices to do l3 aggregation (for colo and such) we've used an ACL to try and combat the offending traffic, but its not doing much good.....
Do you have MCAST enabled on these switches? I'd guess this is what is causing issues on the extreme boxes.
I think the architecture is flow-based, ie, the first packet of each flow hits the CPU. This is probably causing the high CPU utilization. The flow would still hit the CPU even with a ACL and then probably be written to the ASIC with a null location. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
David, ----- Original Message ----- From: "Freedman David" <David.Freedman@netscalibur.co.uk>
Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)? They sure don't like this traffic one bit. It causes them to not only drop traffic, but spew out every available error message under the sun...
We use extremes in our core and it did not log much other than CPU issues: 01/25/2003 02:20.23 <INFO:SYST> task tNetTask cpu utilization is 88% PC: 80266eb4 01/25/2003 02:20.23 <CRIT:SYST> task tNetTask cpu utilization is 88% PC: 80266eb4 and... 01/25/2003 02:24.43 <INFO:SYST> task tNetTask cpu utilization is 93% PC: 80266eb4 01/25/2003 02:24.42 <CRIT:SYST> task tNetTask cpu utilization is 93% PC: 80266eb4 I did notice console messages while investigating the sources of the traffic, but of course have no log of them now. The switches stayed up the whole time though (yay) Also picked up some strange messages from one of the offenders: 01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376: updateGroupSenderListPortMask: PTAGalloc 237.189.185.65/64.237.99.79 01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376: updateGroupSenderListPortMask: PTAGalloc 237.137.210.243/64.237.99.79 01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376: updateGroupSenderListPortMask: PTAGalloc 225.134.14.67/64.237.99.79 No idea yet what that is, though I assume it is coming from the monitor port. -Scotty
Anybody here on list using Extreme products (Summit/ Alpine/ Blackdiamond)? They sure don't like this traffic one bit. It causes them to not only drop traffic, but spew out every available error message under the sun...
We use extremes in our core and it did not log much other than CPU issues:
01/25/2003 02:20.23 <INFO:SYST> task tNetTask cpu utilization is 88% PC: ...
All of the ExtremeNetworks devices I've laid my hands on are in strict L2 mode and their management interfaces are either on private networks or behind firewalls. If you are relying on their ACL's to protect your telnet and snmp access, but are otherwise allowing their management interfaces to hear traffic from the whole Internet, then you should turn in your badge and go back to bagging groceries or whatever it is you used to do. (Same goes for any management interface on any L1-L2-L3-L4 product made by any vendor, so I'm not intending to pick on Extreme individually here.) -- Paul Vixie
On Sun, Jan 26, 2003 at 01:37:16AM +0000, Paul Vixie wrote:
... If you are relying on their ACL's to protect your telnet and snmp access, but are otherwise allowing their management interfaces to hear traffic from the whole Internet, then you should turn in your badge and go back to bagging groceries or whatever it is you used to do.
Some would argue this should apply to those exposing MSSQL to the outside world such that it could even receive malicious port 1434 packets... --cw
... If you are relying on their ACL's to protect your telnet and snmp access, but are otherwise allowing their management interfaces to hear traffic from the whole Internet, then you should turn in your badge and go back to bagging groceries or whatever it is you used to do.
Some would argue this should apply to those exposing MSSQL to the outside world such that it could even receive malicious port 1434 packets...
in fairness to microsoft, there have been worms based on apache and bind and popper and fingerd (buffer overruns) and even sendmail (wizard password) so the wide scale code review one gets from open source software engineering is only a marginal solution to monocultural weakness vectors. -- Paul Vixie
On Sun, Jan 26, 2003 at 06:56:48PM +0000, Paul Vixie wrote:
in fairness to microsoft, there have been worms based on apache and bind and popper and fingerd (buffer overruns) and even sendmail (wizard password) so the wide scale code review one gets from open source software engineering is only a marginal solution to monocultural weakness vectors.
i wasn't pointing at microsoft i was pointing out that leaving software completely exposed when it need not be is potentially problematic perhaps[1] this is worse for software which is used mostly for local connections (ie. LAN, internal network, etc.) such as SQL servers as opposed to software which is designed and/or required to accept connections from all over such as a web-server or MTA --cw [1] where often a higher degree of paranoia exists in the programmers mind and also the likely hood of wide-spread problems being reported appears to be greater
participants (6)
-
Andy Walden
-
Chris Wedgwood
-
Freedman David
-
K. Scott Bethke
-
neil@DOMINO.ORG
-
Paul Vixie