drew.weaver at thenap
Nov 24, 2009, 10:07 AM
Post #2 of 2
(358 views)
Permalink
|
|
Re: 6500 - What determines whether certain traffic is punted or not?
[In reply to]
|
|
Sure,
example #1
example #1
2.012467 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.012516 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.012566 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.012616 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.012666 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.012766 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.012816 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.012866 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.012916 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.013016 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.013066 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.013116 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.013166 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.013168 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
2.013216 local.ip -> internet.ip UDP Source port: isdd Destination port: 51472
example #2
1.694327 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694426 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694476 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694526 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694576 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694626 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694726 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694776 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694826 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
1.694876 local.ip -> internet.ip SIP Status: 200 OK (1 bindings)
example #3
1.034938 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.034942 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035037 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035041 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035137 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035187 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035236 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035336 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035341 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035436 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035486 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035536 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035586 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
1.035636 local.ip -> internet.ip HTTP [TCP Retransmission] Continuation or non-HTTP traffic
example #4
1.292173 local.ip -> internet.ip DNS Standard query response, No such name
1.292223 local.ip -> internet.ip DNS Standard query response, No such name
1.292273 local.ip -> internet.ip DNS Standard query response, No such name
1.292323 local.ip -> internet.ip DNS Standard query response, No such name
1.292373 local.ip -> internet.ip DNS Standard query response, No such name
1.292423 local.ip -> internet.ip DNS Standard query response, No such name
1.292473 local.ip -> internet.ip DNS Standard query response, No such name
1.292522 local.ip -> internet.ip DNS Standard query response, No such name
1.292573 local.ip -> internet.ip DNS Standard query response, No such name
1.292622 local.ip -> internet.ip DNS Standard query response, No such name
1.292672 local.ip -> internet.ip DNS Standard query response, No such name
example #5
1.343640 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.354772 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.354872 10.1.0.162 -> 192.168.115.34 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.381130 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.384974 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.393011 10.1.0.162 -> internet.ip ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.414982 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.442681 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.445027 10.1.0.162 -> 192.168.45.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.463498 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.474230 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.501936 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.504232 10.1.0.162 -> 192.168.115.34 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.504582 10.1.0.162 -> 192.168.81.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
1.519408 10.1.0.162 -> 192.168.155.10 ICMP Time-to-live exceeded (Time to live exceeded in transit)
each of these examples are just tiny samples, the traffic seems to go on for a long time.
Note I sanitized the IPs in example #5
-Drew
-----Original Message-----
From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Sebastian Wiesinger
Sent: Tuesday, November 24, 2009 11:38 AM
To: Cisco-nsp
Subject: Re: [c-nsp] 6500 - What determines whether certain traffic is punted or not?
* Drew Weaver <drew.weaver [at] thenap> [2009-11-24 17:34]:
> I've been having some issues with queue drops/CLI sluggishness on a
> 6500 and I wanted to check what kind of volume of traffic I was
> getting punted to the RP.
>
> I made a span session and began checking out the traffic with
> tethereal.
>
> It seems like a huge (30,000) or so packets every few seconds of
> just UDP traffic is being punted.
Hi Drew,
can you post a sample from that traffic? Is it mostly the same?
> The system is a Sup720-3BXL.
>
> Does anyone know how to determine what kind of traffic should be
> punted to the RP and more importantly why this UDP traffic is
> hitting the RP?
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml#situations
Kind Regards,
Sebastian
--
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
|
