[c-nsp] Broadcast storm control
Phil Mayers
p.mayers at imperial.ac.uk
Fri Nov 9 13:20:09 EST 2007
On Fri, 2007-11-09 at 13:44 +0100, Daniel Dib wrote:
> Citerar Saku Ytti <saku+cisco-nsp at ytti.fi>:
>
> > On (2007-11-08 10:18 +0000), Phil Mayers wrote:
> >
> >> mls qos protocol arp police 10 pps per-mac
> >>
> >> A single host can kick out thousands of ARP requests/sec and thus
> >> trigger the rate limiter which then stops all ARP requests on all
> >> interfaces :o(
> >
> > Indeed, essentially you just ask box to fall over earlier. Other
> > bit silly toggles are box wide unknown unicast rate-limiter (PFC3C)
> > and most silly of them all CEF receive rate-limiter.
> >
> > --
> > ++ytti
>
> This is true that it would be a nice feature. Essentially a degraded
> service is better than no service at all. Sure you will drop some valid
> packets but some will also go through. If you don't use it the whole
> router will be inaccessible which is worse from my point of view.
>
> I don't know your topology but I'm not sure why you would want to
> connect customers directly to a 7600? Why not put a router or l3-device
> in between, then broadcasts will be filtered anyway.
That seems like it would be helpful in a few topologies, but it would be
absolute MADNESS in ours.
3x 6500s in a triangle linked by 2x 10gig port trunks, each subnet
routed on 2 of the 3 and HSRP-protected, each wiring closet linked by
gigE to the 2, ~500 SVIs, ~400 gigE uplinks, MPLS for VRFs, multicast
and various wire-rate ACLs and QoS features.
So, when *one* client on a subnet kicks out a few thousand ARP requests
a second, the RP becomes heavily loaded and blocks service for all other
clients on all the (several hundred) other SVIs.
The router continues to function - traffic is forwarded in hardware and
the CPU priority mechanisms seem perfectly able to keep OSPF/LDP/BGP up
and running - but it can't answer ARPs any more.
A box-global "slow down ARP" just makes it stop earlier.
A per-IP "slow down ARP" solves the problem.
Littering crappy, overprices 7200s around the place does not solve the
problem.
More information about the cisco-nsp
mailing list