RT1#sh ip route Gateway of last resort is 10.10.10.2 to network 0.0.0.0 10.0.0.0/24 is subnetted, 1 subnets C 10.10.10.0 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 10.10.10.2 RT1# RT1#sh cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID RT2 Fas 0/0 176 R 3660 Fas 0/0 RT1# RT1#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) RT1#traceroute 2.2.2.2 Type escape sequence to abort. Tracing the route to 2.2.2.2 1 10.10.10.2 8 msec * 52 msec RT1#traceroute 2.2.2.2 Type escape sequence to abort. Tracing the route to 2.2.2.2 1 * 10.10.10.2 28 msec * RT1#
This is related to how Cisco IOS performs ICMP rate limiting. Cisco IOS limits itself to generate ICMP Unreachable messages to one every 500ms by default. The show ip icmp rate-limit [intf-type intf-num] EXEC command displays the ICMP Destination Unreachable counters which indicate the number of ICMP Unreachable messages that were being rate limited and discarded for all interfaces on a router on a per-interface basis.
Note: The show ip icmp rate-limit EXEC command is available on Cisco IOS Release 12.4T and later.
RT2#sh ip icmp rate-limit DF bit unreachables All other unreachables Interval (millisecond) 500 500 Interface # DF bit unreachables # All other unreachables --------- --------------------- ------------------------ FastEthernet0/0 0 2 FastEthernet0/1 0 0 Greatest number of unreachables on FastEthernet0/0 RT2#
Below shows that the ICMP Destination Unreachable messages were no longer being rate limited by RT2 and were received by RT1 after disabled ICMP rate limiting on RT2:
RT2#conf t Enter configuration commands, one per line. End with CNTL/Z. RT2(config)#no ip icmp rate-limit unreachable ====================================================================== RT1#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5) RT1# RT1#traceroute 2.2.2.2 Type escape sequence to abort. Tracing the route to 2.2.2.2 1 10.10.10.2 88 msec 24 msec 8 msec RT1#
ICMP Destination Unreachable Rate Limiting
Below analyzes and traces how the ping results on RT1 were formed. Note that the default timeout value for ping (ICMP Echo Request) on Cisco IOS is 2 seconds.
1. RT1 sends the 1st ICMP Echo Request message. RT2 responds with an ICMP Destination Unreachable message. RT1 receives the ICMP Destination Unreachable message and reflects it on the console as a U. RT2 cannot send another ICMP Destination Unreachable message for 500ms due to ICMP rate limiting.
2. RT1 sends the 2nd ICMP Echo Request message. RT2 does not respond with an ICMP Destination Unreachable message as its ICMP rate limiting timer has not expired yet.
3. RT1 sends the 3rd ICMP Echo Request message after the 2nd ICMP Echo Request message has timed out after 2 seconds. As the ICMP rate limiting timer has expired, RT2 responds with the 2nd ICMP Destination Unreachable message. The 500ms ICMP rate limiting timer on RT2 is triggered again. RT1’s console shows U.U.
4. RT1 sends the 4th ICMP Echo Request message. RT2 does not respond again as it is waiting for its ICMP rate limiting timer to expired again. RT1 waits for 2 seconds again without receiving an ICMP Echo Reply before showing another . on the console.
5. RT1 sends the 5th ICMP Echo Request message and is answered by RT2 with an ICMP Destination Unreachable message as the 2-second ping timeout value on RT1 allows the 500ms ICMP rate limit timer on RT2 to expire. Eventually the U.U.U output is observed on RT1’s console.
Below shows the usage of the log keyword of the ip icmp rate-limit unreachable [df] {ms} [log [packets] [interval-ms]] global configuration command. RT2 is configured to generate an error message upon generating more than 1 ICMP Destination Unreachable message within 1 minute. The default values of packets and interval-ms are1000 packets and 60000ms respectively).
RT2#conf t Enter configuration commands, one per line. End with CNTL/Z. RT2(config)#ip icmp rate-limit unreachable ? <1-4294967295> Once per milliseconds DF code 4, fragmentation needed and DF set RT2(config)#ip icmp rate-limit unreachable 500 ? log log message if rate limiting is excessiveRT2(config)#ip icmp rate-limit unreachable 500 log ? <1-4294967295> number of unreachables within interval to trigger a message RT2(config)#ip icmp rate-limit unreachable 500 log 1 ? <10000-4294967295> log message once per milliseconds RT2(config)#ip icmp rate-limit unreachable 500 log 1 RT2(config)#^Z RT2# ====================================================================== RT1#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) RT1# ====================================================================== RT2# 00:02:56.071: %IP-3-ICMPRATELIMIT: 2 unreachables rate-limited within 60000 milliseconds on FastEthernet0/0. 0 log messages suppressed since last log message displayed on FastEthernet0/0 RT2# RT2#sh ip icmp rate-limit DF bit unreachables All other unreachables Interval (millisecond) 500 500 Log threshold (packet) 1000 1 Log interval (millisecond) 60000 60000 Interface # DF bit unreachables # All other unreachables --------- --------------------- ------------------------ FastEthernet0/0 0 4 FastEthernet0/1 0 0 Greatest number of unreachables on FastEthernet0/0 RT2#
No comments:
Post a Comment