[c-nsp] Rate-limiting ARPs
Mikael Abrahamsson
swmike at swm.pp.se
Wed Sep 13 07:27:08 EDT 2006
On Wed, 13 Sep 2006, Ed Butler wrote:
> The problem manifested itself last night when a server on a /24 subnet
> was subject to a DDOS of 300kpps. The server crashed, for whatever
> reason, and once the ARP entry had timed out all of the servers on that
> /24 were bombarded with traffic until we filtered the DDOS at the border
> routers.
This more likely sounds like you have a mismatch (default behaviour)
between ARP and mac-address-table timeout.
Cisco default is to ARP timeout after 4 hours, mac-address-table after 5
minutes. So when the mac-address-table timeouts traffic will be flooded to
all ports. That's probably what you were seeing.
Set arp timeout to 5 minutes or turn up the mac-address-table timeout to
match the arp timeout, this should solve this scenario that's likely to
have hit you.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the cisco-nsp
mailing list