DCHP discover packet rate-limiting

chris.smailes · ‎09-12-2012

Hi All, I wonder if anyone could please help with this question: We have a number of 6509s which generally have dhcp relay agents configured on the SVIs. The dhcp servers are centralised. Recently we've had one or two faults with misconfigured or faulty devices (blade server chassis and also printers) generating high volumes of dhcp discover packets and causing high cpu on the relevant 6500. I would like to rate limit these discover packets, which are layer 2 broadcasts, and was wondering if anyone had done this. Storm control can't discriminate between different types of broadcasts and on a gig link would need to be set down at about 1% to have much effect on the problem. I've looked at CoPP and also mls hardware rate-limiting but as I understand it, these two features don't control broadcast traffic. I also looked at dhcp snooping but if an interface receives a high level of dhcp discover broadcasts, e.g. over 100pps, I don't want it to go error-disabled (as this would knock down the whole edge switch), just to drop the excess packets. I'd be glad of any advice received. Thanks.

krun_shah · ‎09-12-2012

How about enabling dhcp snooping on edge switch and enabling dhcp snooping rate limiting on layer 2 interfaces of same switch.

chris.smailes · ‎09-27-2012

Hi krun shah - thanks for the reply. - I've just seen it as I've been away. But as I understand it if I enable dhcp snooping with rate limiting and the rate limit is exceeded it will put the interface into the error-disabled state which is not what I want as this will knock off the whole switch connected to that port - I really just want the dhcp discover packets to be dropped.