Unicast Flooding due to Asymmetric Routing

Unanswered Question
Jan 6th, 2010

I understand why Unicast flooding occurs due to asymmetric routing. But what is the BEST recommendation to deal with the issue assuming I am not going to re-architect my network.

1) Raise the bridge table timeout to 4 hours? - What are the downsides? Possibly filling the cam table?

2) Lower the arp table timeout to 5 minutes? - downside increases cpu processing on the router

I would think a compromise would be just fine as well. 10 minutes on the bridge and arp table? On a stable network arp's every 10 minutes should not be that cpu intensive.

Also, why not make the arp timer lower than the bridge timer. Than you are assured to 're-arp' before the bridge timer expires.

I am looking for some discussion on setting the timers. I have read all the links that say why this happens and to set the 2 timers to be equal. I cannot find any information on the pros and cons of messing with the timers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Wed, 01/06/2010 - 23:29

Hi,

For controlling Unicast flooding in switches try to do the following configuration using Mac-Address-table-Unicast-flooding

mac-address-table unicast-flood

To enable unicast flood protection, use the mac-address-table unicast-flood command. Use the no form of this command to disable unicast flood protection.

mac-address-table unicast-flood {limit kfps} {vlan vlan} {filter timeout | alert | shutdown}

no mac-address-table unicast-flood {limit kfps} {vlan vlan}

Syntax Description

limit kfps

Limits the unicast floods on a per-source MAC address and per-VLAN basis; valid values are from 1 to 4000 Kfps.

vlan vlan-id

VLAN to apply the flood limit; valid values are from 1 to 4094.

filter timeout

Specifies how long to filter unicast floods; valid values are from 1 to 34560 minutes.

alert

Specifies when frames of unicast floods exceed the flood rate limit to send an alert.

shutdown

Specifies when frames of unicast floods exceed the flood rate limit to shut down the ingress port generating the floods.

Defaults

This command has no default settings.

Configure unicast flood protection as follows:

•Set the limit kfps argument to 10 Kfps.

•Set the filter timeout argument to 5 minutes.

The shutdown option is supported on nontrunk ports only.

If you specify alert and unknown unicast floods exceeding the threshold are detected, an error message is displayed and no further action is taken.

If you specify shutdown and unknown unicast floods exceeding the threshold are detected, an error message is displayed. Once the error message is displayed, the port goes to err-disable mode.

Examples

This example shows how to set the flood rate limit to 3000 fps and display an error message when the rate limit has been exceeded:

Router(config)# mac-address-table unicast-flood limit 3 vlan 125 alert

Router(config)#

Hope that helps out your query !!

Regards

Ganesh.H

Christopher Isett Thu, 01/07/2010 - 06:18

Thank you Ganesh,

This is not quite what I was looking for. Since my issue is due to Asymmetric routing I was thinking that the fix is to make both the arp and mac-address timers the same. That is what most of the documentation seems to suggests.

I don't think the mac-address-table unicast-flood command is appropriate since the flooding, be default, will occur for 3 hours and 55 minutes in every 4 hour timeframe. Maybe I am wrong but I did not think that using the mac-address-table unicast-flood command we the recommendation to resolve Unicast flooding due to Asymmetric routing. Maybe you could comment on this?

If not, than my original question still stands. What are the pros/cons of messing with the arp and mac-address-table timers and what is the most practical timer setting to use. 4 hours seems excessive to set a mac-address ageing timer to yet 5 minutes for an arp timer could prove to be very cpu intensive.

Chris

Actions

This Discussion