All things related to multicast

[Jeff Olenchek <>]

        From: Hugh LaMaster 
<>
        Subject: Re: PowerQuest DriveImage
        
        On Mon, 24 Jan 2000, Thomas Maufer wrote:
        
        > Date: Mon, 24 Jan 2000 13:31:29 -0800
        > From: Thomas Maufer 
<>
        > To: Jeff Olenchek 
<>
        > Cc: 

        > Subject: Re: PowerQuest DriveImage
        > 
        > -----BEGIN PGP SIGNED MESSAGE-----
        > Hash: SHA1
        > 
        > At 13:31 -0600 2000-01-24, Jeff Olenchek wrote:
        > 
        > >We had a 7513/120-8.5.S melt (RIP packets would stop being sent)
        
        Interesting.  RSP2/4?  Was this with a VIP-2/{40,50} with
        FastEthernet PA?  Was the router connected full-duplex to 
        a switch, or, e.g., half-duplex to a hub?  Was the CPU
        saturated, the VIP saturated, and/or the network saturated?
        At this point, it is difficult to say whether the router
        has a problem or not.  If some systems are on half-duplex
        10 Mbps ethernet, then it wouldn't surprise me if the
        "broadcast" traffic saturated the output and prevented
        RIP from being received.  What were the relevant multicast
        IOS configuration lines (e.g. ip multicast-routing distributed).
        What was the configuration of the interface involved.  In short, 
        could you provide more detailed information?

An RSP2. The traffic was coming in on a 16Mbyte VIP2 via a full-duplex
ISL link to a 5500. Some of the IOS lines are copied below. There is no
distributed routing on this router. I didn't record the details (cpu, etc.).

The dropped RIP packets were noticed on a FDDI subnet which the router
and our campus Unix boxes share.

        > >when a lan administator used a package called DriveImage. 
DriveImage
        > >sends data to address 230.0.0.1/01-00-5e-00-00-01.
        
        This is very strange.  I've seen DriveImage for sale at Fry's;
        I'm trying to imagine why they would send the output to a 
        multicast address in the first place.  It sounds like
        someone took a shortcut for sharing data without understanding
        how multicast is usually used/configured.  It might make
        DriveImage an interesting multicast test tool, though ;-)
        Sending 5000 pps to 230.0.0.1 could be considered a kind of 
        DoS attack.

Exactly--The site in Sweden did contact our abuse group about this....

        ....
        
        But, since I have seen similar routers handle equivalent 
        forwarding loads without a problem, I'm wondering if there 
        are some other factors involved.

It wouldn't surprise me if I misconfigured something...

        --
         Hugh LaMaster, M/S 233-21,    Email: 


jeff

p.s. This is one of the packets captured via our sniffer:

- - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - - - - -

SUMMARY  Delta T     Destination   Source        Summary
M    1             [230.0.0.1]     [129.89.75.175]  DLC Ethertype=0800, 
size=66 bytes
                                                    IP  D=[230.0.0.1] 
S=[129.89.75.175] LEN=32 ID=56805
                                                    UDP D=2222 S=2222 LEN=32

DLC:  ----- DLC Header -----
DLC:  
DLC:  Frame 1 arrived at  12:11:20.20849 ; frame size is 66 (0042 hex) bytes.
DLC:  Destination = Multicast 01005E000001
DLC:  Source      = Station 0050049A1D08
DLC:  Ethertype  = 0800 (IP)
DLC:  
IP:   ----- IP Header -----
IP:   
IP:   Version = 4, header length = 20 bytes
IP:   Type of service = 00
IP:         000. .... = routine
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length    = 52 bytes
IP:   Identification  = 56805
IP:   Flags           = 0X
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live    = 255 seconds/hops
IP:   Protocol        = 17 (UDP)
IP:   Header checksum = 2AC9 (correct)
IP:   Source address      = [129.89.75.175]
IP:   Destination address = [230.0.0.1]
IP:   No options
IP:   
UDP:  ----- UDP Header -----
UDP:  
UDP:  Source port      = 2222
UDP:  Destination port = 2222
UDP:  Length           = 32
UDP:  Checksum       = 603A (correct)
UDP:  
UDP:  [24 byte(s) of data]
UDP:  
        
-------------------------------------------------------------------------------
Here are a few of the configuration lines for the router. The router
connecting to Abilene is at 129.89.7.8


ip multicast-routing
no ip dvmrp route-limit
ip cef
!
interface FastEthernet10/1/0
 description fast10/1/0 trunked port to kd-switch 4/12
 no ip address
 no ip directed-broadcast
 no ip route-cache distributed
 full-duplex
!
interface FastEthernet10/1/0.18
 description fast10/1/0.18  SN18 Mitchell Hall
 ...
!
interface FastEthernet10/1/0.42
 description fast10/1/0.42  =4/12=3/5 SN42   Mitchell Hall
 ...
!
interface FastEthernet10/1/0.48
 description fast10/1/0.48   =4/12  SN48  CURTIN
 ...
!
interface FastEthernet10/1/0.75
 description fast10/1/0.75  SN75  =4/12 BUS N219
 encapsulation isl 75
 ip address 129.89.75.1 255.255.255.0
 ip access-group SN75-ip-x in
 ip helper-address 129.89.7.14
 ip helper-address 129.89.7.2
 no ip redirects
 no ip directed-broadcast
 ip pim sparse-mode
 ipx input-network-filter 902
 ipx input-sap-filter 1002
 ipx encapsulation NOVELL-ETHER
 ipx network 75
 ipx output-gns-filter 1001
!
interface FastEthernet10/1/0.86
 description fast10/1/0.86  =4/12 SN86 BUS Lab N234A
 ...
!
interface FastEthernet10/1/0.109
 description fa10/1/0.109 =4/12 Fine Arts Complex
 ...
!
interface FastEthernet10/1/0.157
 description fast10/1/0.157 =4/12=3/4 SN157 Bolton
 ...
!
interface FastEthernet10/1/0.158
 description fast10/1/0.158 =4/12=2/11 SN158 Bolton
 ...
 ...
ip pim rp-address 129.89.7.8
ip mroute 0.0.0.0 0.0.0.0 129.89.7.8

kingdome# show ver
Cisco Internetwork Operating System Software 
IOS (tm) RSP Software (RSP-JSV-M), Version 12.0(8.5)S, EARLY DEPLOYMENT 
MAINTENANCE INTERIM SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 12-Jan-00 19:06 by htseng
Image text-base: 0x60010908, data-base: 0x610C4000

ROM: System Bootstrap, Version 5.3(16645) [szhang 571], INTERIM SOFTWARE
BOOTFLASH: RSP Software (RSP-BOOT-M), Version 12.0(8.5)S, EARLY DEPLOYMENT 
MAINTENANCE INTERIM SOFTWARE

kingdome uptime is 3 days, 10 hours, 55 minutes
System returned to ROM by reload at 06:43:32 CDT Fri Jan 21 2000
System restarted at 06:46:33 CDT Fri Jan 21 2000
System image file is "slot0:rsp-jsv-mz.120-8.5.S"

cisco RSP2 (R4600) processor with 65536K/2072K bytes of memory.
R4600 CPU at 100Mhz, Implementation 32, Rev 2.0
Last reset from power-on
G.703/E1 software, Version 1.0.
G.703/JT2 software, Version 1.0.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
Bridging software.
TN3270 Emulation software.
Chassis Interface.
3 EIP controllers (18 Ethernet).
4 VIP2 controllers (4 FastEthernet)(1 Fddi)(1 ATM).
18 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
1 FDDI network interface(s)
1 ATM network interface(s)
125K bytes of non-volatile configuration memory.

16384K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).
8192K bytes of Flash internal SIMM (Sector size 256K).
No slave installed in slot 7.
Configuration register is 0x102