Doubtless you know this because you specified 0.34, but for other
readers, a cautionary tale: We recently deployed an edge 10gig port on a
6716, and I set the broadcast storm level to 0.10 as per our standard
config:

storm-control broadcast level 0.10

Unfortunately on this linecard, anything <0.34 == 0, i.e. all broadcasts
trigger it. This makes things like ARP rather unhappy! So beware the
varying linecard limits.

It's a real shame the broadcast limiter (along with all the other limits
on this platform) aren't more granular e.g. per-vlan broadcast and glean
limits on a trunk port, etc.
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

We chose the 50% based on the fact that we didn't exactly know how much
broadcast/multicast was "normal"; we have since been measuring (via
SNMP/Cacti) this level and will probably adjust downwards.

You're right about the spare capacity needing to be there. We naively
concluded that a loop induced storm would tend to settle down as long as
there's some kind of limit imposed.

I guess it's time to adjust things now. :-)
Hm... I thought "storm-control unicast" was exactly for _unknown_
unicast. Otherwise it seems a little retarded (excuse my french).
Blocking/policing unicast as such isn't really helpful, is it?

If it really is just unicast (and not unknown unicast) I understand now
why the 3560G blocked traffic.

It would like the 6500 to support "storm-control action shutdown" by the
way. It can be EEM scripted of course, but that's a kludge.
Agreed.


_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

We just had a incident that a person plugged two ends of a long wire
into two ports of a gig mini switch. The miniswitch then comes to our
access, distribution switch, then comes on layer 2 to our catalyst
6500. That crashed our catalyst 6500 w/ sup720 3bxl, IOS 12.2(33)SXI3.

Now we are reviewing the whole process, the access switch uplink was
only 730000 bits/sec and 8900
packets/sec. This kind of traffic was enough to crash the catalyst 6500.

During the storm, we enabled storm-control broadcast 0.01, the
catalyst 6500 was running at 99% CPU. we shutdown that port afraid of
crash it again.

We were thinking of implement storm-control broadcast 0.04 on our
WS-X6724-SFP gig ports.
Use 64 bytes packet and 576 bytes as references
64 byte
576bytes
0.04%*1000,1000,1000/(64*8) = 780 pps 87
0.08%*1000,1000,1000/(64*8) = 1562 pps 174
0.16%*1000,1000,1000/(64*8) = 3152 pps 350
0.48% 9456 pps
1051pps

Which one do you think make more sense?

Schilling
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Even clearer than that:

"Each port has a single traffic storm control level that is used for all
types of traffic (broadcast, multicast, and unicast).

Traffic storm control monitors the level of each traffic type for which
you enable traffic storm control in 1-second traffic storm control
intervals."

So it seems there's one storm-control threshold per interface, and you
decide which types of traffic (unicast/broadcast/multicast) have that
threshold applied.

It then gets a little murky:

"Traffic storm control on the Catalyst 6500 series switches is implemented
in hardware. The traffic storm control circuitry monitors packets passing
from a LAN interface to the switching bus. Using the Individual/Group bit
in the packet destination address, the traffic storm control circuitry
determines if the packet is unicast or broadcast, keeps track of the
current count of packets within the 1-second interval, and when a
threshold is reached, filters out subsequent packets.

Because hardware traffic storm control uses a bandwidth-based method to
measure traffic, the most significant implementation factor is setting the
percentage of total available bandwidth that can be used by controlled
traffic. Because packets do not arrive at uniform intervals, the 1-second
interval during which controlled traffic activity is measured can affect
the behavior of traffic storm control."

Here, they first say storm control keeps track of the "count of packets"
which implies to me "number of packets" or PPS, but then they say it's
bandwidth based. I think I'd actually prefer if it were simply based on
PPS or if configuring it as PPS was at least an option. We had a recent
event in which a few VMs started sending an excessive rate of both
broadcast and multicast. The traffic was arriving on 1gig interfaces on a
pair of 6509s, and at a traffic rate of about 55mbit/s, we were seeing 78k
PPS, and the 6509s were not amused. This got me looking at storm-control
again. We'd experimented with it years ago, but never fully implemented
it.

One thing I'm curious about...if I have an interface with storm-control
configured, and that interface is the source for a monitor session, during
a traffic storm, will I see the dropped packets on the monitor session
destination?

----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/