I have got a problem recently on a LAN where the 4500 switch acts as the L3 switches, a blade center server had a network driver card bug that flooded the 4500 L3 switch and so CPU was reaching 100% stopping th whole production.
sup card is the following : 1 2 Supervisor IV 1000BaseX (GBIC) WS-X4515 JAE0935K45J
chassis cisco WS-C4506 (MPC8245) processor (revision 7) with 524288K bytes of memory.
During the outage, the commands show platform health and show platform cpu packet statistics could be passed and I got the following, you can notice the large number of L2 Fwd Low.
The problem has been stopped identifying which server was flooding ( doing interface vlan shut tries, then watching servers on the vlan identified) and then stopping the identified server.
Now, the big point for me is to be able to limit a such problem in the future like limiting the CPU utilisation in case any server on the LAN "arp flood" the coreswitch for any reason. I heard about the DAI, but seems to be used with the DHCP snooping and build a table in the conf, but I have too much servers in this network (hundreds). I will also set the storm-control functionality, but the 4500 here are old and the unicast limitation is not existing in, only the broadcast (and multicast in the last version of IOS).
Someone told me about the MLS rate-limit but I don't know this functionality.
Can someone give me some guidances about a command that would prevent the core switch reaching 100% limiting the arp requests for example, this is what I need, or another good idea. I thank you for the time you will take to read this post.
show platform cpu packet statistics Packets Dropped In Hardware By CPU Subport (txQueueNotAvail)
With hundreds of servers it looks like a long job, but it should be feasible with one ACL per IP subnet.
With default settings each untrusted port is limited to 15 ARP packets /sec
Besides this, the configuration guide reports that enabling DAI increases the cpu usage see this note.
>>"When you enable DAI, all ARP packets are forwarded by CPU (software forwarding, the slow path). With this mechanism, whenever a packet exits through multiple ports, the CPU must create as many copies of the packet as there are egress ports. The number of egress ports is a multiplying factor for the CPU. When QoS policing is applied on egress packets that were forwarded by CPU, QoS must be applied in the CPU as well. (You cannot apply QoS in hardware on CPU generated packets because the hardware forwarding path is turned off for CPU generated packets.) Both factors can drive the CPU to a very high utilization level."
>> ARP policing is not supported on either the classic series supervisor engines or fixed configuration switches. It is supported on the Catalyst 4900M and 4948E switches, Supervisor Engine 6-E, and Supervisor Engine 6L-E.
Giuseppe, I would like to thank you for your response firstly. Thats kind taking care about my issue.
Did you had the opportunity to implement DAI on some networks and if yes, what is the real degree of complexity of implementation maybe non wanted behavior.
This customer runs a lot of blade centers connected to the distrib cisco switches, and also some ESX running a lot of virtual images, the risk could be to set a bad threshold for the broadcast packets counts and limit the traffic to normal traffic as those devices run between 12 and 30 images.
If I understand the implementation, a generic ACL per subnet matching traffic could be implemented and after, a per port DAI implementation has to be configured with a specific threshold. Am I correct?
The main cause of the initial issue I had was a unicast flood between the server and the core switch gateway, do you think the DAI can provide protection against broadcast but also unicast floods?
A ticket is currently being opened by the support to the Cisco TAC to discuss about this and get the recommandations also.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.