[c-nsp] risks of assigning redundant paths on data link layer to end-customer

Martin T m4rtntns at gmail.com
Tue Nov 22 14:49:00 EST 2011


Peter,
thank you for reply! Storm-contol helps here a lot. I set
"storm-control broadcast level pps 2000 1000" and "storm-control
multicast level pps 2000 1000" to "C2950-24-A" port Fa0/24 and
"C3550-24-B" port Fa0/24. In other words to ports which face the
"Customer-SW".

Once the "storm-control" settings were in place, I wasn't able to
flood broadcast frames across the VLAN.


However, are there some other possibilities for L2 loop? I mean other
than filtering out BPDU's in "Customer-SW"?

In addition, before applying the storm-control configuration settings,
the network was heavily flooded:

Customer-SW#sh int Fa0/23 | i bits
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 77321000 bits/sec, 142110 packets/sec
Customer-SW#sh int Fa0/24 | i bits
  5 minute input rate 77322000 bits/sec, 142111 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
Customer-SW#

Why there is a flood only in one direction? I created this flood by
configuring 192.168.1.1/24 IP address to "R1" interface Fa0/0.300 and
executing "ping 192.168.1.2" which sent out the broadcast ARP frames.



regards,
martin


2011/11/22 Peter Rathlev <peter at rathlev.dk>:
> (Hit "send" too early, sorry! Second paragraph was missing.)
>
> On Tue, 2011-11-22 at 06:55 +0200, Martin T wrote:
>> Lets assume there is a following setup:
>>
>> http://img844.imageshack.us/img844/9133/stp.png
>>
>> ISP manages "R1", "C3550-24-A", "C-355-24-B" and "C2950-24-A".
>> "Customer-SW" is fully under customer control. As you can see, there
>> are two paths to "Customer-SW". What are the risks with such setups in
>> general?
>
> You mention loops, which is probably one of the worst risks. Besides
> this there's the fact that a L2 networks spans many more devices. With
> L3 interconnect you would only put the two devices closest to the
> customer at risk. This might of course adversely affect other things,
> but only things connected to these two devices. The L2 network streches
> through all the shown devices. Other things than loops can cause
> problems, e.g. broadcasts or STP control traffic.
>
> To mitigate these things you should aggressively police broadcast and
> maybe multicast traffic. You should also implement CoPP (or similar) on
> any devices with a L3 connection to the specific VLAN.
>
> That the root is placed with the customer is IMHO no big problem. They
> might have reasons to place it somewhere special, and since only one of
> the two paths from the CPE to R1 would be active at any time (because of
> STP) it doesn't really matter where the root is from your point of view.
>
> --
> Peter
>
>
>


More information about the cisco-nsp mailing list