[c-nsp] Broadcast storm control
Michael Malitsky
malitsky at netabn.com
Tue Nov 6 10:05:14 EST 2007
I have some customers connected to a 6500, and already run stormcontrol
and portfast. I'll look into bpduguard as well, thanks.
However, most of my customers are connected to "router" platforms (the
one specifically affected is a 7200). As far as I know none of the
actual L2 features apply there. I tried setting up a control-plane
policy to limit the stream of ARP requests, but it looks like it just
can't drop the packets fast enough.
Michael
> Message: 2
> Date: Tue, 6 Nov 2007 04:06:57 +0200
> From: Saku Ytti <saku+cisco-nsp at ytti.fi>
> Subject: Re: [c-nsp] Broadcast storm control
> To: Michael Malitsky <malitsky at netabn.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <20071106020657.GB10753 at mx.ytti.net>
> Content-Type: text/plain; charset=us-ascii
>
> On (2007-11-05 18:08 -0600), Michael Malitsky wrote:
>
> > Last week one of my customers DoS'd me - they managed to
> create a wire
> > loop between their switches, with no STP. The resulting
> broadcast storm
> > killed the CPU on my access router (their default gateway).
> Does anyone
> > have any pointers or best practices on how I can protect the router
> > without having access to the switches beyond it?
>
> I run broadcast stormcontrol, porfast (Edge port) and bpdguard
> automatically on in all edge ports. But I do not run bpdufilter,
> this way accidentally created loops should be visible by receiving
> our own BPDU back and port going to errdisable because of that, and
> all other cases, we'll have to hope that stormcontrol catches it.
> In my opinion cisco is lacking some elementary L2 security features,
> like not being able to limit MAC addresses per port, without also
> having port-security on and also ability to limit unknown
> unicast per port.
>
> --
> ++ytti
>
>
More information about the cisco-nsp
mailing list