Alternatives to storm-control on Cat 6509.

• Previous message (by thread): Fwd: [Full-disclosure] Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability
• Next message (by thread): Alternatives to storm-control on Cat 6509.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I have several Catalyst 6500 (Supervisor 32) aggregation switches with WS-X6148A-GE-TX and WS-X6148-GE-TX line cards.

These line cards do not support storm-control/broadcast suppression. This impacted us badly during a recent spanning tree event.

As it stands, we are at risk of overwhelming control planes with excess broadcast or multicast traffic, and I need to find alternative ways to protect these switches.

I have been researching STP enhancements, and control-plane policing in the following documents, and would appreciate advice from engineers who may have had to implement similar workarounds for storm-control in a service provider setting.

* Configuring Denial of Service Protection
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dos.pdf

* Configuring Control Plane Policing
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/cntl_pln.pdf

* Configuring Optional STP Features
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/stp_enha.pdf

So, if we can't mitigate against STP events using storm-control or broadcast suppression, what might be the best combination of STP enhancements and control-plane policing?

For example, is it possible to rate-limit broadcast/multicast, STP and ARP on a per VLAN basis? If so, how?

Many thanks,

P


--
Peter George
Lumison
t: 0845 1199 900
d: 0131 514 4022

P.S. Lumison have changed the way businesses communicate forever http://www.unified-communications.net/



________________________________
--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted. Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison.
Finally, the recipient should check this email and any attachments for the
presence of viruses. Lumison accept no liability for any
damage caused by any virus transmitted by this email.

• Previous message (by thread): Fwd: [Full-disclosure] Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability
• Next message (by thread): Alternatives to storm-control on Cat 6509.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]