[c-nsp] risks of assigning redundant paths on data link layer to end-customer

Peter Rathlev peter at rathlev.dk
Thu Nov 24 03:22:15 EST 2011


On Thu, 2011-11-24 at 03:30 +0200, Martin T wrote:
> yes, I had 142kpps of broadcast traffic. For example interface
> statistics from "C3550-24-B":

How did R1 cope with that? What platform is it?

> Isn't the L2 broadcast(FF:FF:FF:FF:FF:FF) most frequent type of frames
> in L2 flood?

I'd think so, yes. The all-ones would always be flooded, but other
things might also be flooded. If the "Group" bit is set in the MAC
address, it's supposed to reach more than one destination. Multicast is
covered by this, but yours is purely broadcast it seems.

> Could you explain this thought:
> 
> "Unidirectional traffic like that can also be because of unicast
> flooding caused by an asymmetric L2 forwarding topology."

Your counters say it's broadcast traffic, so not unicast flooding. But
an example of that:


             +--------+
             | server |
             +--------+
                  |
            +----------+
            | switch C |
            +----------+
             /        \
   +----------+      +----------+
   | switch A |      | switch B |
   +----------+      +----------+
         |                 |
   +----------+      +----------+
   | router 1 |      | router 2 |
   +----------+      +----------+
         |                 |

If router 1 was FHRP "primary" but router 2 was the one receiving
traffic from the core network, you would have asymmetric flows. Traffic
from the server to the gateway would never cross switch B, but router 2
would send traffic toward that switch. Since it would not know the MAC
address, it has to flood all traffic. Every other switchport on switch B
in the same VLAN as the server would receive a copy. No learning would
take place.

This is just one example of unicast flooding. It's not catastrophic, but
it might eat up a lot of bandwidth.

> I would say it's secure enough if storm-control is applied on border
> ports and customer doesn't filter BPDU's..

I tend to agree, though it would never be pretty. :-)

-- 
Peter



More information about the cisco-nsp mailing list