RES: [c-nsp] Limiting number of ARP entries for 802.1q subinterfaces
Murilo Antonio Pugliese
mpugliese at diveo.net.br
Thu Sep 15 11:19:47 EDT 2005
This subject wasn't posted by myself, but maybe to avoid a excessive MAC flooding
that would act as a DDOS attach against a router capacity to handle it.
It may be feasible if you consider a router/LC/controller/PA or whatever that would
aggregate a large amount of 802.1q subinterfaces, each one delivered for a different
LAN with who knows how many hosts.
-----Mensagem original-----
De: oboehmer at cisco.com [mailto:oboehmer at cisco.com]
Enviada em: quinta-feira, 15 de setembro de 2005 12:01
Para: Murilo Antonio Pugliese; rubensk at gmail.com; Marko Milivojevic
Cc: cisco-nsp at puck.nether.net
Assunto: RE: [c-nsp] Limiting number of ARP entries for 802.1q
subinterfaces
I'm not really sure if the previous suggestions address your issue. You
don't want to limit the number of mac-addresses learned over a given
switchport, but you want to limit the number of ARP entries resolved via
ARP on a routed/L3 interface.
I don't know of any (Rodney?), but which problem are you trying to
solve?
One obvious solution would be to use a smaller networks (a /24 on the
interface can have at most 253 ARP entries, so you have a natural limit)
;-)
oli
Murilo Antonio Pugliese <> wrote on Thursday, September 15, 2005 4:39
PM:
> Ok, so it's feasible to limit the amount of learned MAC addresses
> on L3 802.1q subinterface of a 7600 Series Router.
>
> And so, are you guys confident that this functionality cannot be
> achieve at a 7500 Series Router ?
>
>
> -----Mensagem original-----
> De: Rubens Kuhl Jr. [mailto:rubensk at gmail.com]
> Enviada em: quinta-feira, 15 de setembro de 2005 11:08
> Para: Marko Milivojevic
> Cc: cisco-nsp at puck.nether.net
> Assunto: Re: [c-nsp] Limiting number of ARP entries for 802.1q
> subinterfaces
>
>
> I would add
> switchport port-security violation restrict
>
> 'shutdown' action is probably unwanted.
>
> Also of notice is a possible bug with IPv6 router discovery MACs that
> somehow got into port-security static MAC table. Disabling IPv6
> provided a workaround.
>
>
> Rubens
>
> On 9/15/05, Marko Milivojevic <markom at pangalactic.net> wrote:
>>
>> It may not work in your environment (definitely won't work
>> for 7500), but 7600 is essentially a switch. Being that, it allows
>> you to do:
>>
>> int fa0/1
>> switchport
>> switchport trunk encapsulation do1q
>> switchport mode trunk
>> switchport trunk allowed vlan 200
>> switchport port-security
>> ! this is from the head -- check syntax
>> switchport port-security maximum 50 vlan 200
>> !
>> interface vlan200
>> ip address ...
>> !
>>
>> The configuration above will effectively limit the number of
>> learnet MAC addresses in VLAN 200 on interface Fa0/1, while still
>> providing L3 "termination".
>>
>> Marko.
>>
>> Everton da Silva Marques wrote:
>>> Is there an option to limit the maximum
>>> number of MAC addresses that a 7500/7600
>>> router is willing to learn for one L3
>>> 802.1q subinterface? Something like:
>>>
>>> interface FastEthernet0/1.200
>>> encapsulation dot1q 200
>>> ip arp cache maximum-mac-addresses 50
>>>
>>> Otherwise, would anyone suggest another
>>> way to create a similar, per-VLAN limit
>>> for ARP entries?
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list