[c-nsp] Unicast storms

Stephen Wilcox steve.wilcox at packetrade.com
Thu Jul 5 11:05:24 EDT 2007 

On Thu, Jul 05, 2007 at 02:44:02PM +0200, Vincent De Keyzer wrote:
> Steve, Saku,
> 
> thanks for you continued interest in my problem :)
> 
> >  I thought we were talking of non-PFC platforms but I re-read and we
> > havent established what platform it is. In which case I would be wrong.
> > 
> > And yes you can block them (port block unicast) but I'm not sure if that
> > was what Vincent wanted as he was looking at rate-limit solutions.
> > 
> > Vincent? :)
> 
> I'd better step back from the initial question, and rephrase the problem.
> 
> The problem is: I am making the assumption that network performance on the
> LAN could be sub-optimal due to frequent unicast floods (i.e. switches are
> flooding all ports with unicast frames because it does not have the
> destination MAC address in its table); and I would like to verify whether
> this is the case or not.
> 
> So before even blocking or rate-limiting, I'd like to 
> 1) assess whether those floods are happening or not

are you seeing some issue, or just looking around?

your LAN would need to be very large or very unusual for you to see this as a problem

for most networks MAC learning will occur quickly as most stations send at least *some* sort of data onto the LAN from time to time so that the switches will learn where they are

> 2) quantify them to understand whether they are at a reasonable level or not

well, if you have a device capable of packet sniffing (easy from linux, from windows you can install a number of tools) just plug in a computer thats doing nothing and sit and watch for an hour and see what turns up!

> 3) locate their source

well, the sniffer will show you.. altho not sure how interested we are in the src.. their shouldnt be devices staying silent in your network that have a lot of traffic being dumped on them - i'd be more interested in what the data is and why the machine is so silent!!

Steve

> so that I can take the required action (maybe adjusting ARP timers on
> redundant routers, rate-limiting, blocking, etc.).
> 
> Is there a way to do this? We are talking about 2970 running
> "c2970-lanbase-mz.122-25.SEB4".
> 
> Thanks for your input
> 
> Vincent
> 
> PS: what is PFC?...
>

More information about the cisco-nsp mailing list