Solved: Best config for an etherchannel

tylerhall · ‎05-17-2013

I have a simple etherchannel bridging two 3560Gs, the ether channel is a 2 x 1GB copper port, giving me a total of 2GB of connectivity.

I have this command in the config so it load balances the traffic somewhat correctly:

port-channel load-balance src-dst-ip

While this has worked in the past, we had an issue last night that I'm trying to prevent in the future.

One customer (on one IP) launched a DDOS attack to another IP, which generated a gig of transfer.

Based on the port-channel rules, it load balances based on source and dest IP and if the source and dest IP are the same, it's going to use the same port channel, therefore it saturated one of the port channels, while the other one was only 10% used.

Is there a better way to really 'load balance' thaffic on these two connections to prevent something from this in the future?

Thanks

Peter Paluch · ‎05-17-2013

Hello Tyler,

Is there a better way to really 'load balance' thaffic on these two connections to prevent something from this in the future?

Sadly, I am afraid there is no easy solution to this. First of all, most (if not all) Cisco switching platforms have per-platform configurable load balancing mechanism only, meaning that you can not even change the load balancing mechanism on a per-portchannel basis. Taking both source and destination IP into account when load-balancing the traffic is the most universal choice, and even if you decide to use just the source or just the destination IP (with an educated guess about which address field provides the most diversity), there can be a packet flow present that has exactly this field constant, resulting into being placed on a single physical link only. Cisco does not implement round-robin load balancing on EtherChannels, meaning that using EtherChannels alone, there is no prevention against "polarizing" the traffic onto a single link in an EtherChannel bundle.

You could theoretically try to configure storm control on your ports to prevent excessive floods from wreaking havoc but that is just a reactive solution and does not really address the problem. Apart from this, though, I am afraid there are no more options left. I hope I am wrong but as I see it, the chances are grim.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎05-17-2013

Hello Tyler,

Is there a better way to really 'load balance' thaffic on these two connections to prevent something from this in the future?

Sadly, I am afraid there is no easy solution to this. First of all, most (if not all) Cisco switching platforms have per-platform configurable load balancing mechanism only, meaning that you can not even change the load balancing mechanism on a per-portchannel basis. Taking both source and destination IP into account when load-balancing the traffic is the most universal choice, and even if you decide to use just the source or just the destination IP (with an educated guess about which address field provides the most diversity), there can be a packet flow present that has exactly this field constant, resulting into being placed on a single physical link only. Cisco does not implement round-robin load balancing on EtherChannels, meaning that using EtherChannels alone, there is no prevention against "polarizing" the traffic onto a single link in an EtherChannel bundle.

You could theoretically try to configure storm control on your ports to prevent excessive floods from wreaking havoc but that is just a reactive solution and does not really address the problem. Apart from this, though, I am afraid there are no more options left. I hope I am wrong but as I see it, the chances are grim.

Best regards,

Peter

Joseph W. Doherty · ‎05-17-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

So you're saying you wanted the DDOS to saturate both your Etherchannel links?

Seriously, though, unfortunately, you can run into a "corner case" with any selected load balancing algorithm, as they are all static. Best you can do is select the one that works best for your traffic mix, either most of the time, or during critical bandwidth usage times.

The only better option is using dynamic load balancing, but generally that's not available on low level devices and/or high speed links.

Peter Paluch · ‎05-17-2013

Joseph,

I'm so happy to meet you after quite a while again! I know it was my fault, though, I was just swamped the last few months with work.

So you're saying you wanted the DDOS to saturate both your Etherchannel links?

ROFL

Best regards,

Peter

tylerhall · ‎05-17-2013

Thanks guys.