[c-nsp] rate-limit arp

Pete Lumbis alumbis at gmail.com
Thu Mar 20 09:21:41 EDT 2014


Be aware that the command is not just ARP to the CPU, it's transit ARP
traffic as well.
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/prod_white_paper0900aecd802ca5d6.html
(ctrl + f, "arp police")


On Thu, Mar 20, 2014 at 8:48 AM, Raymond Lucas (AP) <
raymond.lucas at dimensiondata.com> wrote:

> Rikard,
>
> It's probably safe as long as you use a big enough value to cover
> "expected" traffic volumes, whatever that may be in your environment.
>
> I only recently come across this command when investigating a situation
> where we saw all sorts of strange connectivity problems when trying to move
> some new traffic to a to a 6500/Sup720 on SXI.  Had to do a full compare of
> the configs on the working and non-working box to find "mls qos protocol
> arp police" configured to a number that was MUCH too low for the scenario.
>  No idea about the history as to why the command was ever added to the
> configuration.
>
> "sh mls qos detailed" will show you packets getting dropped by the "mls
> qos protocol" commands,  but doesn't break it down into different
> protocols.  Maybe you can start with a reassuringly large number, then
> bring it down while keeping an eye on the drops?  Needless to say, if you
> see 1000s of drops per minute like I did, you may have gone too far!
>
> So while the command might be safe, I would question the usefulness of the
> command.  Without it, if there is a flood or ARPs you'll suffer from high
> CPU - which might or might not be a problem depending on your exact setup
> and the volume of ARP traffic.  With it, a flood of ARPs will cause a
> random sampling of legitimate ARPs to be dropped which definitely will be a
> problem.
>
> Cheers,
> Ray
>
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Rikard Jacobsen
> Sent: Thursday, 20 March 2014 12:05 a.m.
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] rate-limit arp
>
>
>
> Hi,
>
> Anyone have a good config that rate-limit ARP packets? We are using Cisco
> 6500 sup VS-S720-10G IOS version 12.2(33)SXJ2. Is it safe to use "mls qos
> protocol arp police xxx"? Recommended value for "xxx" bps?
>
> Regards
> Rikard
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:
> cisco-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> itevomcid
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list