[c-nsp] Unicast storms
Vincent De Keyzer
vincent at autempspourmoi.be
Tue Jul 3 08:49:14 EDT 2007
Basically I have two answers now:
1. Eric points me to asymmetric traffic/routing and MAC/ARP timeouts
2. Stephen says "unicast storm-control" does not work properly by design (or
because of Microsoft, depending on which side you are on :)
Now, if anybody has successfully implemented "unicast storm-control", and
only sees a few breaches from time to time, I'd be interested to hear this.
In the meanwhile, I'll investigate Eric's track, and let you know (might
eventually open a case at TAC with this).
Thanks
Vincent
> If you have HSRP enabled on layer-3 switches, make sure that the
> mac-address-table aging-time is set to 14400 seconds or better so that
> it will not age out before the ARP entry for any given host.
>
> The problem with HSRP is that both the standby and active router can
> forward traffic into the VLAN, but only the HSRP active receives the
> return traffic. There are many configurations where the only unicast
> traffic (which is required to populate the mac-address-table) the HSRP
> standby will receive from a host is the direct response to an ARP
> request every 4 hours. With the default mac-aging time of 300 seconds,
> that means that your HSRP standby switch/router would potentially only
> have a valid layer-2 forwarding interface defined for 5 minutes after an
> ARP is completed to the host. After 5 minutes, the router still
> maintains the ARP entry so it knows which MAC to address the traffic to,
> but when it gets sent to the layer-2 portion of the switch the
> mac-address-table interface mapping is gone so the switch is forced to
> flood the frame out to all interfaces on the VLAN. This flooding will
> continue for the next 3 hours and 55 minutes until the HSRP standby
> router issues another ARP request for the host.
More information about the cisco-nsp
mailing list