[c-nsp] 6500 & broadcast-storm control

Phil Mayers p.mayers at imperial.ac.uk
Tue Jul 21 08:03:13 EDT 2009


Saku Ytti wrote:
> On (2009-07-21 09:33 +0100), Phil Mayers wrote:
> 
> Hey,
> 
>> Obviously one thing to look at is broadcast storm control on the
>> 6500s. However, from what I can make it it's rather primitive; the
>> rate of broadcast traffic is capped only in 1-second windows and
>> doesn't take account of packet-size? Does anyone have any experience
>> of it? Does it work well.
> 
> storm-control works just fine. But unfortunately for WS-X6704-10GE minimum
> amount of 0.34% which is too much for the box to handle without starting to
> flap BGP/LDP/IS-IS etc.

Well, these are 6748-SFP, which I see can go down much lower, though it 
talks about "100 meg" ports (on an -SFP linecard!)

Can the mls qos be used to rate-limit this on ingress? I doubt it; IIRC 
the ingress policing is limited to CoS only.

> 
> Even if you could limit them to acceptable level, you'll still be looping
> unknown unicast, unless you've explicitly stopped forwarding them (which
> implies you must have only 1 switch or you've synchronized ARP timeout with
> MAC timeout).

We haven't done that. The storms are of very short duration (<10 
seconds, but longer than 3x STP PDU timeouts) so I'm hoping that unknown 
unicast will not be as big a problem.

> 
>> Is it more subtle, and the SP is being overwhelmed by the punt? We
>> run CoPP but obviously that's layer3. I don't have any layer2 MLS
>> rate-limiters enabled, and since they're per-box rather than
>> per-port I doubt they'd help.
> 
> My guess would be this also, that you simply overloaded the SUP. Maybe if
> you can recreate it in controlled environment, you could see what the
> software is doing and maybe even find way to protect yourself.
> 

I'm investigating another solution on the edge switches themselves; they 
support fairly granular output metering based on ACL match terms, so I 
might be able to match on destination MAC and limit to something small 
like 128kbit/sec, but it's hacky - I'd like to avoid it, and such 
protection really ought to be on the core switch, in case it gets missed 
or mis-configured on the edge.


More information about the cisco-nsp mailing list