Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3469
Views
5
Helpful
3
Replies

flooding of icmp-q in 3750 switch

S.ashok S
Level 1
Level 1

‎02-06-2012 09:33 PM - edited ‎03-04-2019 03:10 PM

Hi,

The below output has taken from cisco 3750 switch which the cpu utilization is more than 80%. Can anybody help what is the meaning of this below inforamation.

switch#debug platform cpu-queues icmp-q

debug platform cpu-queue icmp-q debugging is on

Feb  6 18:44:09.860: ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan41 L2If:GigabitEthernet1/0/8 DI:0xB4, LT:7, Vlan:41   SrcGPN:8, SrcGID:8, ACLLogIdx:0x0, MacDA:0019.aade.0d58, MacSA: b8ac.6f2a.2734   IP_SA:10.43.41.87 IP_DA:172.20.31.25 IP_Proto:6

   TPFFD:ED580008_00290029_00B0009F-000000B4_90BD001F_6C6E1FC0

Feb  6 18:44:09.869: ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan41 L2If:GigabitEthernet1/0/8 DI:0xB4, LT:7, Vlan:41   SrcGPN:8, SrcGID:8, ACLLogIdx:0x0, MacDA:0019.aade.0d58, MacSA: 001f.d0e6.c09e   IP_SA:10.43.41.58 IP_DA:172.20.31.25 IP_Proto:6

   TPFFD:ED580008_00290029_00B00040-000000B4_C507001F_6C6E1FC0

Feb  6 18:44:09.869: ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan41 L2If:GigabitEthernet1/0/8 DI:0xB4, LT:7, Vlan:41   SrcGPN:8, SrcGID:8, ACLLogIdx:0x0, MacDA:0019.aade.0d58, MacSA: 001f.d0e7.1a26   IP_SA:10.43.41.61 IP_DA:161.69.13.141 IP_Proto:6

   TPFFD:ED580008_00290029_00B00042-000000B4_02E4001F_6C6E1FC0

Feb  6 18:44:09.869: ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan41 L2If:GigabitEthernet1/0/8 DI:0xB4, LT:7, Vlan:41   SrcGPN:8, SrcGID:8, ACLLogIdx:0x0, MacDA:0019.aade.0d58, MacSA: b8ac.6f21.659d   IP_SA:10.43.41.55 IP_DA:172.20.31.51 IP_Proto:6

   TPFFD:ED580008_00290029_00B00040-000000B4_DE38001F_6C6E1FC0

Thanks,

With regards,

Ashok

Labels:
0 Helpful
3 Replies 3

nkarpysh
Cisco Employee
Cisco Employee

‎02-06-2012 09:50 PM

Hi Ashok,

The thing is that packets seems to come to VLAN 41 and should go out of the same inteface. When this happens router tries to generate ICMP redirect. I guess you "no ip redirect" configured on VLAN41. That stops router from sending ICMP redirect itself however due to ASIC logic it still sends those packets to CPU even is ICMP redirect are blocked.

So youy may need to check 2 things:

- check if VLAN 41 has "no ip redirects"  configured. Add it if that was not.

- check your design to stop packets from entering and leaving smae L3 interface

Nik

HTH,
Niko
0 Helpful

S.ashok S
Level 1
Level 1
In response to nkarpysh

‎02-06-2012 11:18 PM

Dear Nik,

Thank you for your reply and please check the access list statments and vlan 41 configuration.

ip access-list extended MyLan_ACL

permit ip 172.26.0.0 0.0.255.255 10.42.150.232 0.0.0.7

permit ip 172.16.0.0 0.0.255.255 10.42.150.232 0.0.0.7

permit ip 10.43.41.0 0.0.0.255 10.43.41.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 10.43.2.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 10.43.4.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 10.43.5.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 10.42.2.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 10.42.4.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 10.42.5.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 10.41.2.0 0.0.0.255

permit ip host 10.43.41.133 host 10.42.100.15

permit ip host 10.43.41.54 host 10.42.60.210

permit ip 10.43.41.0 0.0.0.255 10.41.4.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 10.41.5.0 0.0.0.255

permit ip 10.43.41.0 0.0.0.255 host 10.42.60.23

permit ip 10.43.41.0 0.0.0.255 10.42.150.232 0.0.0.7

permit ip host 10.43.41.71 host 10.42.150.235

permit ip host 10.43.41.57 host 10.42.78.18

permit ip host 10.43.41.124 host 10.42.150.44

deny   ip 10.43.41.0 0.0.0.255 10.43.0.0 0.0.255.255

deny   ip 10.43.41.0 0.0.0.255 10.40.0.0 0.0.255.255

deny   ip 10.43.41.0 0.0.0.255 10.41.0.0 0.0.255.255

deny   ip 10.43.41.0 0.0.0.255 10.42.0.0 0.0.255.255

permit udp any any eq bootpc

permit udp any any eq bootps

permit ip 10.43.41.0 0.0.0.255 any

interface Vlan41

description ***MyLan_Vlan***

ip address 10.43.41.254 255.255.255.0

ip access-group MyLan_ACL in

ip helper-address 10.43.2.153

ip helper-address 10.43.5.221

ip helper-address 10.43.2.20

ip helper-address 10.43.2.159

no ip redirects

no ip unreachables

no ip proxy-arp

ip policy route-map PBR_Vlan41

Thank you,

With regards,

Ashok.

0 Helpful

nkarpysh
Cisco Employee
Cisco Employee
In response to S.ashok S

‎02-07-2012 09:32 PM

Hello,

ACL is not a problem - you need to check routing "show ip route" for these destinations:

172.20.31.25

161.69.13.141

If the destination is same VALN 41 then that explains why packets getting to CPU. They are received and sent out of the same L3 interface. Router is designed to send ICMP redircect  and send copy of each such packet to CPU. Even with no ip redirect configured packets are still sent to cpu according to HW design.

You need to change your netwrok design to avoid these packets to come to this switch if those really coming and leaving on same VLAN 41.

Nik

HTH,
Niko
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card