[c-nsp] Unicast storms

Saku Ytti saku+cisco-nsp at ytti.fi
Thu Jul 5 10:28:30 EDT 2007 

On (2007-07-05 14:44 +0200), Vincent De Keyzer wrote:
 
> The problem is: I am making the assumption that network performance on the
> LAN could be sub-optimal due to frequent unicast floods (i.e. switches are
> flooding all ports with unicast frames because it does not have the
> destination MAC address in its table); and I would like to verify whether
> this is the case or not.
>
> So before even blocking or rate-limiting, I'd like to 
> 1) assess whether those floods are happening or not
> 2) quantify them to understand whether they are at a reasonable level or not
> 3) locate their source
> 
> so that I can take the required action (maybe adjusting ARP timers on
> redundant routers, rate-limiting, blocking, etc.).

Make trunk (tagged) port where you have monitor PC and SPAN all
traffic to it, as it doesn't have anything it should receive, it'll
only receive broadcast and flooded traffic, then you can
use tshark/tcpdump to ditch the broadcast and check only flooded
unicast.

Depending on your application there are various ways to solve
issues that might occur, but I agree it would still be good
to have unknown unicast rate-limit per port, but thats not
possible in any cisco gear. However, these suggestions
I can offer

1) you operate the L3 and L2
    - match MAC and ARP timeout
2) you operate the L2, L3 is customers needing to reach
   your termination router.
    - make MAC ACL, to only allow packets towards eg. VRRP
      address of your termination.
3) you operate the L2, you have L2 customers connected there
    - ouch, not much cisco offers here, you can't limit
      MAC addresses (without using port-security) you can't
      rate-limit unknown unicast (per port). Perhaps investigate
      if customers are happy with L2 not forwarding unknown
      unicasts at all (quite acceptable, if each node talks
      to the network every MAC timeout)

> Is there a way to do this? We are talking about 2970 running
> "c2970-lanbase-mz.122-25.SEB4".

SPAN (== port monitor), blocking unknown unicast and MAC ACL
works.

Thanks,
-- 
  ++ytti

More information about the cisco-nsp mailing list