[c-nsp] 6500 & broadcast-storm control
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jul 21 08:03:13 EDT 2009
Saku Ytti wrote:
> On (2009-07-21 09:33 +0100), Phil Mayers wrote:
>
> Hey,
>
>> Obviously one thing to look at is broadcast storm control on the
>> 6500s. However, from what I can make it it's rather primitive; the
>> rate of broadcast traffic is capped only in 1-second windows and
>> doesn't take account of packet-size? Does anyone have any experience
>> of it? Does it work well.
>
> storm-control works just fine. But unfortunately for WS-X6704-10GE minimum
> amount of 0.34% which is too much for the box to handle without starting to
> flap BGP/LDP/IS-IS etc.
Well, these are 6748-SFP, which I see can go down much lower, though it
talks about "100 meg" ports (on an -SFP linecard!)
Can the mls qos be used to rate-limit this on ingress? I doubt it; IIRC
the ingress policing is limited to CoS only.
>
> Even if you could limit them to acceptable level, you'll still be looping
> unknown unicast, unless you've explicitly stopped forwarding them (which
> implies you must have only 1 switch or you've synchronized ARP timeout with
> MAC timeout).
We haven't done that. The storms are of very short duration (<10
seconds, but longer than 3x STP PDU timeouts) so I'm hoping that unknown
unicast will not be as big a problem.
>
>> Is it more subtle, and the SP is being overwhelmed by the punt? We
>> run CoPP but obviously that's layer3. I don't have any layer2 MLS
>> rate-limiters enabled, and since they're per-box rather than
>> per-port I doubt they'd help.
>
> My guess would be this also, that you simply overloaded the SUP. Maybe if
> you can recreate it in controlled environment, you could see what the
> software is doing and maybe even find way to protect yourself.
>
I'm investigating another solution on the edge switches themselves; they
support fairly granular output metering based on ACL match terms, so I
might be able to match on destination MAC and limit to something small
like 128kbit/sec, but it's hacky - I'd like to avoid it, and such
protection really ought to be on the core switch, in case it gets missed
or mis-configured on the edge.
More information about the cisco-nsp
mailing list