[c-nsp] Broadcast storm control

Christian Meutes christian at errxtx.net
Mon Feb 23 16:04:10 EST 2009


Hi,

--On Dienstag, November 06, 2007 11:33:20 -0600 Justin Shore
<justin at justinshore.com> wrote:

> The book discusses how to harden HSRP, VLANs, VTP and trunk ports and
> how to prevent ARP attacks, STP attacks, etc.  It has a good 802.1x
> section as well.  It's got a good amount of useful info.
>
> I think CoPP will help you out.  Identify the traffic that's causing the
> DoS right now and address it with CoPP.  There are a lot of CoPP users
> on C-NSP.  Then go back and harden the router later.

the original problem was as far as I remember "access switches with disabled
or not working spanning-tree created l2-loop and flooded PE edge port".

The sad truth is that even CoPP on PFC won't protect from HSRP or PIM
multicast storm. Even a DHCP broadcast storm would kill the control-plane.
The problem is that CoPP limits the rate to the listening processes like
PIM, HSRP or DHCP-relay, but unfortunately a multicast/broadcast storm ends
in a interrupt load of nearly 95% and issues OSPF, BGP and other flaps in
core protocols. This is what i just figured out when someone created a
l2-loop on a pair of access switches and the connected PEs (Sup720) werent
reachable anymore in cause of 98% CPU load and OSPF, BFD and BGP went down
although CoPP and some more mls h/w rate-limiter were configured.

In lab i found out that "mls qos protocol hsrp police" will overcome this
problem and curiously kept interrupt load down. For PIM i tried explicitely
"mls rate-limit multicast ipv4 pim" with the same effect of protecting CPU
from high interrupt load. CoPP with HSRP/PIM class and a policer of 32kbps
didnt help from the high interrupt load and only kept PIM/HSRP process load
down.

Can anyone explain the interaction in this stuff and why CoPP can't protect
from interrupts and mls h/w rate-limiter can. And why the hell isn't there
more than just a PIM, HSRP and ARP h/w rate-limiter? Every directly
connected device can kill PFC control-plane in sending multicast/broadcast
traffic at a rate of about 100Mbps. And no storm-control is no alternative
as storm-control would rate-limit multicast traffic entirely which is a
no-go when using multicast as a application.

cheers,
christian


More information about the cisco-nsp mailing list