[c-nsp] rate-limit arp
Raymond Lucas (AP)
raymond.lucas at dimensiondata.com
Thu Mar 20 08:48:28 EDT 2014
Rikard,
It’s probably safe as long as you use a big enough value to cover “expected” traffic volumes, whatever that may be in your environment.
I only recently come across this command when investigating a situation where we saw all sorts of strange connectivity problems when trying to move some new traffic to a to a 6500/Sup720 on SXI. Had to do a full compare of the configs on the working and non-working box to find “mls qos protocol arp police” configured to a number that was MUCH too low for the scenario. No idea about the history as to why the command was ever added to the configuration.
“sh mls qos detailed” will show you packets getting dropped by the “mls qos protocol” commands, but doesn’t break it down into different protocols. Maybe you can start with a reassuringly large number, then bring it down while keeping an eye on the drops? Needless to say, if you see 1000s of drops per minute like I did, you may have gone too far!
So while the command might be safe, I would question the usefulness of the command. Without it, if there is a flood or ARPs you’ll suffer from high CPU – which might or might not be a problem depending on your exact setup and the volume of ARP traffic. With it, a flood of ARPs will cause a random sampling of legitimate ARPs to be dropped which definitely will be a problem.
Cheers,
Ray
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rikard Jacobsen
Sent: Thursday, 20 March 2014 12:05 a.m.
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] rate-limit arp
Hi,
Anyone have a good config that rate-limit ARP packets? We are using Cisco 6500 sup VS-S720-10G IOS version 12.2(33)SXJ2. Is it safe to use "mls qos protocol arp police xxx"? Recommended value for "xxx" bps?
Regards
Rikard
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
itevomcid
More information about the cisco-nsp
mailing list