I assume you have a default route in your routing table?  If so, then it did have a route to match.

Hi Philip,

 We do have default route in routing table,but for those problem route after i issue command below and shows drop and didn't lookup to default route,i guess this is the caused why hit to cpu?

# show ip cef 248.211.5.0
240.0.0.0/4
drop

But how we can avoid this issue happen and eliminate this issue?

 Thanks your help!

Regards,

Rex

Hello Giuseppe,

Thanks for your information! Beside this i have found a lot of packets with dst port 53,
and i know debug netdr suppose only detected packets go to/from our router,and it should be control plane packets.

But could you please advise why i see many packets not go/from our router and also many packets have dst port 53?

For example i see below packets in debug netdr:

------- dump of incoming inband packet -------
interface Te1/1, routine process_rx_packet_inline, timestamp 18:10:35.995
dbus info: src_vlan 0x3FA(1018), src_indx 0x40(64), len 0x40(64)
bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x380(896)
A0020400 03FA0400 00400000 40000000 00060520 02000040 00000000 03800000
destmac E0.5F.B9.4D.53.80, srcmac 00.23.9C.9B.4C.82, protocol 0800
--More-- protocol ip: version 0x04, hlen 0x05, tos 0x1A, totlen 44, identifier 29912
df 1, mf 0, fo 0, ttl 58, src 188.165.15.97, dst 101.52.224.171
tcp src 25481, dst 80, seq 3954921222, ack 0, win 29200 off 6 checksum 0x72D3 syn

------- dump of incoming inband packet -------
interface Te1/1, routine process_rx_packet_inline, timestamp 18:10:35.991
dbus info: src_vlan 0x3FA(1018), src_indx 0x40(64), len 0x5C(92)
bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x7F0A(32522)
C0020400 03FA0400 00400000 5C000000 00110504 02000040 00000000 7F0A2000
--More-- destmac E0.5F.B9.4D.53.80, srcmac 00.23.9C.9B.4C.82, protocol 0800
protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 74, identifier 11210
df 1, mf 0, fo 0, ttl 243, src 107.236.202.44, dst 121.218.207.39
udp src 40966, dst 53 len 54 checksum 0xC61C

None of ips belong to router.

So is it save to block this port number in copp policy?

Thanks!

Regards,

Rex

Sounds a bit like a DNS amplification attack ...

Dear Philip,

 I can't confirm as its always different source ip address and destination ip address,and when the cpu normal also can see many packets to cpu with dst port 53,so i am afraid if its legitimate traffic,and meanwhile i also found many packet to dst port 80.
 And i have found something weird below,could you please help to check it?
Someone tried to ping our router's ip always have drop within 100 packets.

But i have check the CoPP rate below,only see its 5 minute offered rate 85000 bps,
then how possible can see the drop rate 1000 bps? As you see the control plane set cir 1000000 bps quite far from 85000 bps.

Software Counters:

Class-map: copp-normal (match-all)
993245883 packets, 98458509756 bytes
5 minute offered rate 85000 bps, drop rate 1000 bps
Match: access-group 123
police:
cir 1000000 bps, bc 1000 bytes, be 4470 bytes
conformed 988045309 packets, 97060624400 bytes; actions:
transmit
exceeded 5170528 packets, 1383174147 bytes; actions:
drop
violated 31587 packets, 14862358 bytes; actions:
drop
conformed 84000 bps, exceed 1000 bps, violate 0000 bps

Thanks!

Regards,

Rex

Hi Philip,

After run the command below,it didn't show me about false,seems we didn't run out of hardware CEF resources.

show mls cef exception status

Total CEF switched packets: 0000000012906174
Total CEF switched bytes: 0000000890525984

Regards,

Rex