[c-nsp] unknown unicast flooding - particularly regarding fhrp's

Lee ler762 at gmail.com
Mon Jan 21 12:57:52 EST 2013 

On 1/21/13, Aaron <aaron1 at gvtc.com> wrote:
> What do y'all know about the effects of implementing fhrp's (glbp, hsrp,
> vrrp) WITH route diversity from the distribution (fhrp router) to the
> internet. (which I'd imagine is a pretty typical scenario in HA nets)

Do you have enough bandwidth to the Internet that it might be a problem?

Is the topology such that you could have unicast flooding?  If you
don't allow the same vlan on multiple access layer switches that
eliminates most unicast flooding.

In any case, I like increasing the mac address table timeout, others
like decreasing the ARP table timeout & I remember one recommendation
to configure the hosts to send broadcasts every few minutes (I think
it was ntp to the subnet broadcast address??).  And be sure to enable
portfast on all the host ports - otherwise when a user reboots their
machine you get a topology change notification, all the switches set
the fast aging timer for that vlan and you're back to unicast
flooding.

have you seen
http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml


Regards,
Lee



> I mean as packets arrive from the internet to the non-active fhrp router,
> then this router probably won't have arp entries (perhaps at 4 hour
> timeouts
> it will) but it more than likely won't have bridge table entries, nor will
> the L2 distribution / access devices have bridge table entries (at 300 secs
> aging probably not)
>
>
>
> How does constant unknown unicast flooding affect networks?  Better yet,
> how
> to design in mitigation ?  is it all about lower arp timeouts below 300
> secs
> so to artificially prop-up bridge tables and keep them fresh?  My goodness
> that's making arp very busy.
>
>
>
> This is also being asked since I'm suspecting this behavior on my asr9k's
> via their bvi's (hsrp'd) since they have separate internet uplinks and I'm
> suspecting unknown unicast flooding from the non-active hsrp asr9k over the
> vpls domain towards customers.  (but ugh, my dual 7609's over my legacy net
> have been running like this forever!)
>
>
>
> Aaron
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list