Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
2
Replies

Means for monitoring storm (bcast,unicast) on 3560E's or 7600's

Alexander Demin
Level 1
Level 1

‎12-08-2010 11:40 PM - edited ‎03-04-2019 10:44 AM

Hello!

There is a port on 3560E, facing POP, this port is in the dedicated vlan, that is terminated on 7606 on SVI (peering point).

There is configuration made on the 3560E port, that prevents storm of ucast or bcast kind. This is:

switchport block multicast
switchport port-security maximum 1000
switchport port-security
switchport port-security violation restrict

storm-control broadcast level bps 1m
storm-control multicast level bps 1m
storm-control action shutdown
storm-control action trap
no cdp enable
no lldp transmit
no lldp receive
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

During storm attack I only get logging messages like this:

%PM-4-ERR_DISABLE: storm-control error detected on Te0/1, putting Te0/1 in err-disable state
%STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Te0/1. The interface has been disabled.
%LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet0/1, changed state to down
%LINK-3-UPDOWN: Interface TenGigabitEthernet0/1, changed state to down

%PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Te0/1
%LINK-3-UPDOWN: Interface TenGigabitEthernet0/1, changed state to up

I want to get info not only about the fact of storm attack but also about at least source and destination of it (i.e. source and/or destination MAC).

Perhaps this could be some logging messages...

Are there any means for this on C3560E-UNIVERSAL-M (IOS ver 12.2(53)SE2) and 7606-S (ADVIPSERVICESK9-M IOS ver 12.2(33)SRC5) ?

Thanks in advance.

DAO21-RIPE
Labels:
0 Helpful
2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

‎12-09-2010 12:42 AM

Hi,

what about putting an ACL permitting anything with the log-input command on your 7600 in out direction towards 3560 which is suffering from this storm.

If I'm not mistaken configuring storm control for multicast will get a trigger for unicast so maybe this is normal traffic triggering your storm-control.

Regards.

Don't forget to rate helpful posts.
0 Helpful

Alexander Demin
Level 1
Level 1
In response to cadet alain

‎12-09-2010 01:16 AM 

cadetalain wrote:
Hi,
what about putting an ACL permitting anything with the log-input command on your 7600 in out direction towards 3560 which is suffering from this storm.
If I'm not mistaken configuring storm control for multicast will get a trigger for unicast so maybe this is normal traffic triggering your storm-control.
Regards.

I think it's not a good idea due to cpu and logging facility impact. Turning this logging on only during storm seems to be not possible - who knows when the storm will begin again? AFAIK, logging works only for an ingress traffic.

I read about Unicast Flood Protection for 6500 (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/command/reference/I1.html#wp1279710).

Here is what I probably need (but how this options are configured for 7600 or 3560 ?)  :

Most switches implement no special command to  detect flooding. Catalyst 6500/6000 Supervisor Engine 2 and higher  series switches running Cisco IOS System software (Native) version  12.1(14)E and higher or Cisco CatOS system software version 7.5 or  higher implements 'unicast flood protection' feature. In short,  this feature allows the switch to monitor the amount of unicast flooding  per VLAN and take specified action if flooding exceeds specified  amount. Actions can be to syslog, limit or shutdown VLAN - the syslog  being the most useful for flood detection. When flooding exceeds the  configured rate and the action configured is syslog, a message similar  to the following will be printed:

%UNICAST_FLOOD-4-DETECTED: Host 0000.0000.2100 on vlan 1 is flooding 
to an unknown unicast destination at a rate greater than/equal to 1 Kfps

The MAC address indicated is the source MAC from which the packets  are flooded on this switch. It is often needed to know the destination  MAC addresses to which switch is flooding (because switch is forwarding  by looking at the destination MAC address). Cisco IOS (Native) versions  12.1(20)E for Catalyst 6500/6000 supervisor engine 2 and on will  implement capability to display the MAC addresses to which flooding is  occurring:

cat6000#sh mac-address-table unicast-flood 
Unicast Flood Protection status: enabled

Configuration:
 vlan      Kfps         action       timeout
------+----------+-----------------+----------
   55          1             alert      none

Mac filters:
 No.   vlan   souce mac addr.           installed on           time left (mm:ss)
-----+------+-----------------+------------------------------+------------------

Flood details:
 Vlan   souce mac addr.              destination mac addr.
------+----------------+-------------------------------------------------
   55   0000.2222.0000    0000.1111.0029, 0000.1111.0040, 0000.1111.0063
                          0000.1111.0018, 0000.1111.0090, 0000.1111.0046
                          0000.1111.006d

Further investigation can then be carried out to see if MAC address  0000.2222.0000 is supposed to be sending traffic to the MAC addresses  listed in the destination MAC address section. If traffic is legitimate,  then one would need to establish why destination MAC addresses are not  known to the switch.

DAO21-RIPE
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card