[c-nsp] 3850 / 3650 storm control
Saku Ytti
saku at ytti.fi
Wed Nov 22 13:25:13 EST 2017
Hey Scott,
In edge links, you can limit multicast and broadcast very severely.
There is very little point to limit unicast even in edge links, unless
you want to protect firewall from some owned host sending 1.48M SYN
pps.
In core links you may not need/want to limit at all, but if you must,
it needs to be many times the edge limit, so that edge ports can't
cause DoS vector and stop ARP from working by congesting the core
broadcast limiter.
Assuming you don't actually run multicast applications and that you
don't have any esoteric LAN distribution application using broadcast.
I'd limit edge ports 10pps for mcast and bcast each, and drop excess
(not put port down or anything). In core ports I'd limit mcast and
bcast to maybe 2000pps.
I find that often when people configure these, they configure the
limit in bps and slightly below line rate, which is non-sensical.
On 22 November 2017 at 18:13, Scott Voll <svoll.voip at gmail.com> wrote:
> So I'm green field with 3850 at the distribution layer and 3650 at the
> access layer.
>
> Since I don't have anything to start with, what would be save storm control
> limits to start with on each platform for Broadcast, multicast,and
> Unicast?
>
> Mgig to the edge, 20gig to the distribution, and 160 gig to the core.
>
> TIA
>
> Scott
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
++ytti
More information about the cisco-nsp
mailing list