[c-nsp] unknown unicast flooding - particularly regarding fhrp's

Pete Lumbis alumbis at gmail.com
Mon Jan 21 12:16:38 EST 2013


In short you'll run into unexpected congestion from flooded traffic
arriving on trunks it shouldn't be. You could also run into high CPU on
some devices due to excess traffic (but this is less likely since the
destination MAC will not match the receiving device and will be dropped on
the NIC, most of the time).

The scenario you describe, flooding due to asymmetric flows with FHRPs is
probably the easiest and most common way to make this happen.

The fix I've most commonly seen to this is to either adjust your ARP timers
down or your CAM timers up. Pick your poison.


On Mon, Jan 21, 2013 at 11:56 AM, Aaron <aaron1 at gvtc.com> wrote:

> What do y'all know about the effects of implementing fhrp's (glbp, hsrp,
> vrrp) WITH route diversity from the distribution (fhrp router) to the
> internet. (which I'd imagine is a pretty typical scenario in HA nets)
>
>
>
> I mean as packets arrive from the internet to the non-active fhrp router,
> then this router probably won't have arp entries (perhaps at 4 hour
> timeouts
> it will) but it more than likely won't have bridge table entries, nor will
> the L2 distribution / access devices have bridge table entries (at 300 secs
> aging probably not)
>
>
>
> How does constant unknown unicast flooding affect networks?  Better yet,
> how
> to design in mitigation ?  is it all about lower arp timeouts below 300
> secs
> so to artificially prop-up bridge tables and keep them fresh?  My goodness
> that's making arp very busy.
>
>
>
> This is also being asked since I'm suspecting this behavior on my asr9k's
> via their bvi's (hsrp'd) since they have separate internet uplinks and I'm
> suspecting unknown unicast flooding from the non-active hsrp asr9k over the
> vpls domain towards customers.  (but ugh, my dual 7609's over my legacy net
> have been running like this forever!)
>
>
>
> Aaron
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list