[c-nsp] Broadcast storm control

Phil Mayers p.mayers at imperial.ac.uk
Fri Nov 9 13:20:09 EST 2007


On Fri, 2007-11-09 at 13:44 +0100, Daniel Dib wrote:
> Citerar Saku Ytti <saku+cisco-nsp at ytti.fi>:
> 
> > On (2007-11-08 10:18 +0000), Phil Mayers wrote:
> >
> >> mls qos protocol arp police 10 pps per-mac
> >>
> >> A single host can kick out thousands of ARP requests/sec and thus
> >> trigger the rate limiter which then stops all ARP requests on all
> >> interfaces :o(
> >
> > Indeed, essentially you just ask box to fall over earlier. Other
> > bit silly toggles are box wide unknown unicast rate-limiter (PFC3C)
> > and most silly of them all CEF receive rate-limiter.
> >
> > --
> >  ++ytti
> 
> This is true that it would be a nice feature. Essentially a degraded 
> service is better than no service at all. Sure you will drop some valid 
> packets but some will also go through. If you don't use it the whole 
> router will be inaccessible which is worse from my point of view.
> 
> I don't know your topology but I'm not sure why you would want to 
> connect customers directly to a 7600? Why not put a router or l3-device 
> in between, then broadcasts will be filtered anyway.

That seems like it would be helpful in a few topologies, but it would be
absolute MADNESS in ours.

3x 6500s in a triangle linked by 2x 10gig port trunks, each subnet
routed on 2 of the 3 and HSRP-protected, each wiring closet linked by
gigE to the 2, ~500 SVIs, ~400 gigE uplinks, MPLS for VRFs, multicast
and various wire-rate ACLs and QoS features.

So, when *one* client on a subnet kicks out a few thousand ARP requests
a second, the RP becomes heavily loaded and blocks service for all other
clients on all the (several hundred) other SVIs.

The router continues to function - traffic is forwarded in hardware and
the CPU priority mechanisms seem perfectly able to keep OSPF/LDP/BGP up
and running - but it can't answer ARPs any more.

A box-global "slow down ARP" just makes it stop earlier.

A per-IP "slow down ARP" solves the problem.

Littering crappy, overprices 7200s around the place does not solve the
problem.



More information about the cisco-nsp mailing list