[c-nsp] Useful HSRP feature additions WAS:Rate limiting questions
Matt Buford
matt at overloaded.net
Wed Nov 7 19:48:43 EST 2007
> As the the other side of things, I do have a number of 2 - 4 routers
> HSRP groups where the actual routers are miles apart and usually on
> different legs of the spanning tree star. Unless I cannot do so for
> some reason (large number of very stupid clients) all of the HSRP
> speaking interfaces are running a 240 second arp timeout.
Personally, I do both. I want to avoid flushing the MAC table as much as
possible, so I set a very high timeout. My network is large DCs with
thousands of hosts - so I don't see much for temporary MACs. Any MAC on
there now is almost certain to be there for the forseeable future, so no
need to time things out much.
However, keep in mind that whenever there is a STP topology change the MAC
table is flushed. So, you need low ARP timeouts on the HSRP interfaces to
get things refreshed quick after a topology change. Also, use portfast to
minimize topology changes. Only backbone link state changes should be a
topology change - not customer host ports.
In this way, I pretty much completely avoid the issue - except immediately
after a topology change (which I work to make rare). It is not uncommon to
see hundreds of megabits of flooded unknown unicast traffic in the tagged
backbone inter-switch links in the moments after a topology change.
I played around with GLBP as an interesting workaround too. GLBP can act
like an active/active HSRP configuration, with two virtual MACs and random
responses sent to clients pointing them to one or the other. Since most
hosts (servers I mean - PIX firewalls were a notable exception) have very
short ARP timeouts, they tend to move back and forth between the two routers
regularly. As long as a MAC moves back and forth betwen the two GLBP
routers more often than the MAC timeout, the issue is avoided (until STP
topology changes come along at least). I was forced to go back to HSRP
though due to unrelated issues between GLBP and private vlans.
This is one case where Microsoft's chatty SMB broadcasts actually help too.
This issue is mostly seen on traffic destined toward "well behaved" hosts
that don't normally broadcast anything but their initial default gateway ARP
request.
More information about the cisco-nsp
mailing list