Hi Vincent, I'm saying it works just fine but the implementation is sucky. I use it extensively but you just need to set your thresholds pretty high to make sure they arent tripped. I also usually have it just filter rather than shut the port that way it will auto-recover.
As to what 'pretty high' is, you will have to figure out what works for you. For my customers using 10-30Mb something in the order of 10000pps is plenty. Steve On Tue, Jul 03, 2007 at 02:49:14PM +0200, Vincent De Keyzer wrote: > Basically I have two answers now: > 1. Eric points me to asymmetric traffic/routing and MAC/ARP timeouts > 2. Stephen says "unicast storm-control" does not work properly by design (or > because of Microsoft, depending on which side you are on :) > > Now, if anybody has successfully implemented "unicast storm-control", and > only sees a few breaches from time to time, I'd be interested to hear this. > > In the meanwhile, I'll investigate Eric's track, and let you know (might > eventually open a case at TAC with this). > > Thanks > > Vincent > > > If you have HSRP enabled on layer-3 switches, make sure that the > > mac-address-table aging-time is set to 14400 seconds or better so that > > it will not age out before the ARP entry for any given host. > > > > The problem with HSRP is that both the standby and active router can > > forward traffic into the VLAN, but only the HSRP active receives the > > return traffic. There are many configurations where the only unicast > > traffic (which is required to populate the mac-address-table) the HSRP > > standby will receive from a host is the direct response to an ARP > > request every 4 hours. With the default mac-aging time of 300 seconds, > > that means that your HSRP standby switch/router would potentially only > > have a valid layer-2 forwarding interface defined for 5 minutes after an > > ARP is completed to the host. After 5 minutes, the router still > > maintains the ARP entry so it knows which MAC to address the traffic to, > > but when it gets sent to the layer-2 portion of the switch the > > mac-address-table interface mapping is gone so the switch is forced to > > flood the frame out to all interfaces on the VLAN. This flooding will > > continue for the next 3 hours and 55 minutes until the HSRP standby > > router issues another ARP request for the host. > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/