[c-nsp] Broadcast storm control

Michael Malitsky malitsky at netabn.com
Tue Nov 6 10:05:14 EST 2007


I have some customers connected to a 6500, and already run stormcontrol
and portfast.  I'll look into bpduguard as well, thanks.

However, most of my customers are connected to "router" platforms (the
one specifically affected is a 7200).  As far as I know none of the
actual L2 features apply there.  I tried setting up a control-plane
policy to limit the stream of ARP requests, but it looks like it just
can't drop the packets fast enough.

Michael

> Message: 2
> Date: Tue, 6 Nov 2007 04:06:57 +0200
> From: Saku Ytti <saku+cisco-nsp at ytti.fi>
> Subject: Re: [c-nsp] Broadcast storm control
> To: Michael Malitsky <malitsky at netabn.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <20071106020657.GB10753 at mx.ytti.net>
> Content-Type: text/plain; charset=us-ascii
> 
> On (2007-11-05 18:08 -0600), Michael Malitsky wrote:
> 
> > Last week one of my customers DoS'd me - they managed to 
> create a wire
> > loop between their switches, with no STP.  The resulting 
> broadcast storm
> > killed the CPU on my access router (their default gateway). 
>  Does anyone
> > have any pointers or best practices on how I can protect the router
> > without having access to the switches beyond it?
> 
> I run broadcast stormcontrol, porfast (Edge port) and bpdguard
> automatically on in all edge ports. But I do not run bpdufilter,
> this way accidentally created loops should be visible by receiving
> our own BPDU back and port going to errdisable because of that, and
> all other cases, we'll have to hope that stormcontrol catches it.
>  In my opinion cisco is lacking some elementary L2 security features,
> like not being able to limit MAC addresses per port, without also
> having port-security on and also ability to limit unknown 
> unicast per port.
> 
> -- 
>   ++ytti
> 
> 


More information about the cisco-nsp mailing list