[c-nsp] Broadcast storm control

Church, Charles cchurc05 at harris.com
Tue Nov 6 13:02:42 EST 2007 

Well, the good part is that the customers network being unusable took
away any heat from your device being unusable.  Unless of course you had
multiple customers off that one router.  You could front-end the router
with a hardware L3 switch (3550 or so) that can police stuff at
wire-rate.  That should save you.  I don't think anything on the
software-based router can itself. 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky
Sent: Tuesday, November 06, 2007 10:05 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Broadcast storm control


I have some customers connected to a 6500, and already run stormcontrol
and portfast.  I'll look into bpduguard as well, thanks.

However, most of my customers are connected to "router" platforms (the
one specifically affected is a 7200).  As far as I know none of the
actual L2 features apply there.  I tried setting up a control-plane
policy to limit the stream of ARP requests, but it looks like it just
can't drop the packets fast enough.

Michael

> Message: 2
> Date: Tue, 6 Nov 2007 04:06:57 +0200
> From: Saku Ytti <saku+cisco-nsp at ytti.fi>
> Subject: Re: [c-nsp] Broadcast storm control
> To: Michael Malitsky <malitsky at netabn.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <20071106020657.GB10753 at mx.ytti.net>
> Content-Type: text/plain; charset=us-ascii
> 
> On (2007-11-05 18:08 -0600), Michael Malitsky wrote:
> 
> > Last week one of my customers DoS'd me - they managed to 
> create a wire
> > loop between their switches, with no STP.  The resulting 
> broadcast storm
> > killed the CPU on my access router (their default gateway). 
>  Does anyone
> > have any pointers or best practices on how I can protect the router
> > without having access to the switches beyond it?
> 
> I run broadcast stormcontrol, porfast (Edge port) and bpdguard
> automatically on in all edge ports. But I do not run bpdufilter,
> this way accidentally created loops should be visible by receiving
> our own BPDU back and port going to errdisable because of that, and
> all other cases, we'll have to hope that stormcontrol catches it.
>  In my opinion cisco is lacking some elementary L2 security features,
> like not being able to limit MAC addresses per port, without also
> having port-security on and also ability to limit unknown 
> unicast per port.
> 
> -- 
>   ++ytti
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list