[c-nsp] recommendations for ARP CoPP

Gert Doering gert at greenie.muc.de
Tue Jan 3 15:30:52 EST 2006 

Hi,

today we had an "accident" in one L2 network segment that's routed
via a Cat7603/Sup720 - someone managed to build a L2 loop (load
balancers are wonderful things...), and the Sup720 was hit by about
5.8 Mbit/s. (!) of ARP traffic.

The ARP traffic didn't actually harm the Sup720, but it had annoying
side effects:

 - we have control plane policing (CoPP) configured, and all "this is
   not important" traffic (class-default) is policed to 32 kbit/s.

 - ARP wasn't handled explicitely, so it ended up in class-default

 - 5.8 Mbit/s. of ARP were policed to 32 kbit/s

 - customer complained "your router is broken, when I ping it, it's
   dropping packets!" (ping from "just anywhere" is in the same class,
   and that's fine with us - they're not supposed to ping-test our
   infrastructure.  Normally, 32 kbit/s. are enough for testing, though)

 - but worse, ARP from *other* interfaces was affected, leading to 
   intermittent connectivity problems on other VLAN interfaces on the
   Sup720.  Unavoidably - if the box is rate-limiting ARP to 32 kbit 
   out of 5.8 Mbit, "good ARPs" will be dropped as well.

 - we now have a separate "class-arp" with "match-arp", which solves
   the "ARP throttling causes customer complaints about ping" issue,
   but the main "good ARP packets starvation" issue is still there.


Now, I'm wondering what a "best practice" for ARP rate-limiting on the
Sup720 is.

The goal is:

 - whatever the customers do, the box has to stay up -- so anything that
   causes CPU saturation and subsequent routing protocol keepalive issues
   is "bad".  Which is why we have CoPP in the first place (and it works
   very well - thank you, Cisco folks! - no CPU issues of any kind here)

 - but an ARP storm on one VLAN interface should not - if possible at 
   all - starve out ARP requests on *other* VLANs.

is there any way to achieve this?  

How do "you other Sup720 users" out there handle ARP and CoPP?
 
gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list