[c-nsp] Unicast storms

Stephen Wilcox steve.wilcox at packetrade.com
Wed Jul 4 10:44:53 EDT 2007


On Wed, Jul 04, 2007 at 04:37:11PM +0200, Vincent De Keyzer wrote:
> > Hi Vincent,
> >  I'm saying it works just fine but the implementation is sucky. I use it
> > extensively but you just need to set your thresholds pretty high to make
> > sure they arent tripped. I also usually have it just filter rather than
> > shut the port that way it will auto-recover.
> > 
> > As to what 'pretty high' is, you will have to figure out what works for
> > you. For my customers using 10-30Mb something in the order of 10000pps is
> > plenty.
> 
> 
> Stephen,
> 
> thanks for your reply, but in the meanwhile I have understood (thanks to
> Brian) that "unicast storm-control" does not look at unicast frames with
> unknown destination address (as I initially thought), but just at *any*
> unicast frame, which is not I want to do. 
> 
> So I'm giving up trying to use this feature (which IMHO is not very
> interesting).

What are you trying to do?

By definition all unicast frames know their destination else you couldnt send them! 

I take it you mean unicast frames with mac addresses that are currently unknown to the switch on that port? In which case you cant limit it that way.. but you have two options:

1. do the above unicast storm-control - this will protect your network from any traffic flood

2. implement port security to limit the number of MACs per port - this will protect you from things like network loops causing FIB instability

Steve


More information about the cisco-nsp mailing list