[c-nsp] Rate limiting questions

Ian Cox icox at cisco.com
Sun Oct 28 13:14:18 EDT 2007 

At 10:39 PM 10/26/2007 -0500, Justin Shore wrote:
>Ian Cox wrote:
>
>>What exactly do you mean by not route traffic? HSRP on the standby 
>>does not route traffic for the HSRP vmac, it drops the traffic on 
>>the floor. If it did not do this when you have a unicast flood 
>>packet both switches would forward the packet and have duplicate 
>>packets. Then you have the case of the end station using the real 
>>interface of the standby router instead of the vmac and that still 
>>a valid requirement to need to forward frames.
>
>Ian,
>
>The standby router won't route for the vmac but it will route 
>traffic per it's RIB that's directed to the standby's interface IP.

I know that :)  The reason that is there is sometimes downstreams are 
configured to point at an interface address or there are some VoIP 
gateways that ping the physical addresses on the HSRP routers for 
active / standby failover. There are a lot of strange things people do.

>  I tested it this evening on my way home.  I hardcoded my gateway 
> to be the interface IP on the standby router.  My outbound traffic 
> flowed through the standby and my inbound flowed through the 
> active, thus subverting the specific rate-limit I intended to 
> impose on legit traffic.

All you can do in this case is place the same rate limit on both 
routers, and hope the customer does the right thing, and reconcile 
the policer counts for how much traffic. They can send 2x traffic but 
at least you know they are sending at most 2x the traffic across the links.

>I'm specifically talking about upstream traffic from the client, not 
>downstream from the HSRP routers.  Downstream will always flow out 
>the active as expected.  I probably didn't word that well in my 
>first message; does that make more sense?

There are issues in both directions, in one you have the issue of 
someone using the physical addresses of the HSRP routers rather than 
standby address, the other direction you have the multipath issues 
that the subnet looks to be equally distant from both the active and 
standby and one option to solve that is tweak the costs so standby is 
not an equal cost path, or ultimately add a feature that says, if I'm 
the standby router don't advertise this subnet to the routing 
protocol. The downside on this approach is when switchover occurs you 
then get a 2nd routing event, the first is the active  removing the 
prefix, and the 2nd would be the new active adding the prefix.


Ian

>Thanks
>  Justin

More information about the cisco-nsp mailing list