Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ME 3600 RP and BFD affected by Loop (DoS) on CE LAN non Inteli. SW

NetService Smartnet
Level 1
Level 1

‎05-08-2013 11:22 AM

Hello all

We did implemented a METRO running MPLS L3 VPN on +100 sites.

The ring topology connects several ME-3600X-24FS-M -  IOS Version 12.2(52)EY2.

The issue we are facing is caused by the fact that most customer connected to the METRO don´t have inteligent L2/L3 switches or routers and are using the L3 interface on the  ME has the default gateway to their LANs. Not a good design i would say but we can´t change that at moment.

L3 interface on ME (PE) to LAN SW (CE):

interface GigabitEthernet0/7

description CONEXAO CE XXX

port-type nni

no switchport

ip vrf forwarding GLOBAL

ip address 10.xx.0.1 255.255.255.0

Where the ip address above is the default GW for customer LAN.

The links between ME are configured this way:

description UPLINK ME-ME

port-type nni

no switchport

mtu 1600

ip address 10.XX.YY.WW 255.255.255.252

no ip redirects

ip ospf authentication message-digest

ip ospf message-digest-key 2 md5 7 135740425E5E547B7A76786166381C2324

ip ospf network point-to-point

ip ospf mtu-ignore

mpls ip

bfd interval 70 min_rx 70 multiplier 3

When a loop happens in a customer LAN, for instance connecting the same cable in two distinct interfaces on the same switch, the RP on the CPU gets above 40% and BFD drops the conection between the MEs, OSPF and BGP adjacencies are also killed.

We are pursuing ways of reduce the impact of the DoS, but so far no definitive solution was obtained.

1) Control Plane Policy cannot be implemented because most featured on IOS 12.2EY are not available in  IOS 15.2(2)S or above for CPP.

2) Storm Control seems to be enable in L3 interfaces (Strange because should be only L2) and we tested it in a LAB for broadcast but only works for certain type of traffic generated by the loop (CDP and STP not included)

interface GigabitEthernet0/1

port-type nni

no switchport

no ip address

storm-control broadcast level 6.00

storm-control action shutdown interface GigabitEthernet0/1
port-type nni
no switchport
no ip address
storm-control broadcast level 6.00
storm-control action shutdown

3) We are also considering changing teh BFD parameters on the Uplinks to other MEs but do not have so far como values the would avoid the incident

Can any help please, advise on possible solutions to avoid Customer LANs to cause this type of issue on the ME3600

Regards

Pedro

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic