Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide, Release 4.2.x
Implementing Traffic Storm Control under a VPLS Bridge
Downloads: This chapterpdf (PDF - 1.35MB) The complete bookPDF (PDF - 3.44MB) | Feedback

Implementing Traffic Storm Control under a VPLS Bridge

Contents

Implementing Traffic Storm Control under a VPLS Bridge

Traffic storm control provides Layer 2 port security under a Virtual Private LAN Services (VPLS) bridge by preventing excess traffic from disrupting the bridge. This module describes how to implement traffic storm control.

Feature History for Traffic Storm Control

Release

Modification

Release 3.7.2

Support was added for traffic storm control under a VPLS bridge.

Release 5.1

Support was added for:
  • configuring storm control at bridge domain level
  • allow storm control rate to be configured in kbps instead of pps

Prerequisites for Implementing Traffic Storm Control

The following prerequisites are required before implementing traffic storm control:

  • The network must be configured with a VPLS bridge domain in an MPLS Layer 2 VPN.
  • You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Restrictions for Implementing Traffic Storm Control

In Cisco IOS XR software Release 3.7.0 FCI, the following restrictions apply:

  • Traffic storm control is not supported directly on the bridge domain. The feature must be configured on Ethernet flow points (EFPs) under the bridge domain, using bridge domain submodes. The supported submodes are those used for configuring ACs and access PWs.
  • Traffic storm control is not supported for aggregated EFPs (bundles).
  • Traffic storm control is not supported for forwarding pseudowires (VFI PWs).
  • Immediately after an route switch processor (RSP) failover, traffic storm control drop counters might not be accurate. This loss of counter information after a failover is expected behavior for Cisco IOS XR software counters.
  • No alarms are generated when packets are dropped.

Information About Implementing Traffic Storm Control

To implement traffic storm control, you should understand the following concepts:

Understanding Traffic Storm Control

A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. You can configure separate threshold levels for different types of traffic on each port under a VPLS bridge.

Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any 1-second interval. The 1-second interval is set in the hardware and is not configurable. The number of packets allowed to pass during the 1-second interval is configurable, per port, per traffic type. During this interval, it compares the traffic level with the traffic storm control level that the customer configures.

When the incoming traffic reaches the traffic storm control level configured on the bridge port, traffic storm control drops traffic until the end of storm control interval.

Traffic storm control level can be configured separately for these traffic types:
  • Broadcast Traffic
  • Multicast Traffic
  • Unknown Unicast Traffic

The thresholds are configured using a packet-per-second (pps) rate. When the number of packets of the specified traffic type reaches the threshold level on a port, the port drops any additional packets of that traffic type for the remainder of the 1-second interval. At the beginning of a new 1-second interval, traffic of the specified type is allowed to pass on the port.

Traffic storm control has little impact on router performance. Packets passing through ports are counted regardless of whether the feature is enabled. Additional counting occurs only for the drop counters, which monitor dropped packets.

No alarms are produced when packets are dropped.


Note


  • Bridge Protocol Data Unit (BPDU) packets are not filtered through the storm control feature.
  • Tunneled BPDU packets are filtered as they are forwarded into bridge.
  • Traffic storm control is applied to only forwarded packets in the system.

Traffic Storm Control Defaults

  • The traffic storm control feature is disabled by default. It must be explicitly enabled on each port for each traffic type.
  • The traffic storm control monitoring interval is set in the hardware and is not configurable. On Cisco ASR 9000 Series Router, the monitoring interval is always 1 second.

Supported Traffic Types for Traffic Storm Control

On each VPLS bridge port, you can configure up to three storm control thresholds—one for each of the supported traffic types. If you do not configure a threshold for a traffic type, then traffic storm control is not enabled on that port or interface for that traffic type.

The supported traffic types are:

  • Broadcast traffic—Packets with a packet destination MAC address equal to FFFF.FFFF.FFFF.
  • Multicast traffic—Packets with a packet destination MAC address not equal to the broadcast address, but with the multicast bit set to 1. The multicast bit is bit 0 of the most significant byte of the MAC address.
  • Unknown unicast traffic—Packets with a packet destination MAC address not yet learned.

Traffic storm control does not apply to bridge protocol data unit (BPDU) packets. All BPDU packets are processed as if traffic storm control is not configured.

Supported Ports for Traffic Storm Control

In Cisco IOS XR software Release 3.7.0 FCI, you can configure traffic storm control on the following components under a VPLS bridge domain:

  • VPLS bridge domain ACs
  • VPLS bridge domain access PWs

Traffic Storm Control Thresholds

Traffic storm control thresholds are configured at a packet-per-second rate. A threshold is the number of packets of the specified traffic type that can pass on a port during a 1-second interval. Valid values for traffic storm control thresholds are integers from 1 to 160000. The maximum value would permit about 19 percent of bandwidth to pass per second on a 10-Gbps link, assuming a 1500-byte packet size.

Traffic Storm Control Drop Counters

Traffic storm control counts the number of packets dropped per port and traffic type. The drop counters are cumulative until you explicitly clear them. Use the show l2vpn bridge-domain detail and show l2vpn forwarding detail commands to see drop counts. Use the clear l2vpn forwarding counters command to clear drop counters.

How to Configure Traffic Storm Control

This section describes how to configure traffic storm control:

Enabling Traffic Storm Control on an AC under a Bridge

Perform this task to enable traffic storm control on an AC under a VPLS bridge. The following task shows how to enable traffic storm control on an AC that is a VLAN on an Ethernet interface.


Note


To disable traffic storm control, navigate to the submode you were in when you enabled the feature, and issue the no form of the command.


SUMMARY STEPS

    1.    configure

    2.    l2vpn

    3.    bridge group bridge-group-name

    4.    bridge-domain bridge-domain-name

    5.    interface interface-name

    6.    storm-control {broadcast | multicast | unknown-unicast} pps packet-threshold

    7.    Use the commit or end command.

    8.    show l2vpn bridge-domain bd-name bridge-name detail


DETAILED STEPS
     Command or ActionPurpose
    Step 1 configure


    Example:
    RP/0/RSP0/CPU0:router# configure
     

    Enters global configuration mode.

     
    Step 2l2vpn


    Example:
    RP/0/0/CPU0:router(config)# l2vpn
    RP/0/0/CPU0:router(config-l2vpn)#
    
     

    Enters L2 VPN configuration mode.

     
    Step 3bridge group bridge-group-name


    Example:
    RP/0/0/CPU0:router(config-l2vpn)# bridge group csco
    RP/0/0/CPU0:router(config-l2vpn-bg)#
    
     

    Enters L2 VPN bridge group configuration mode.

     
    Step 4bridge-domain bridge-domain-name


    Example:
    RP/0/0/CPU0:router(config-l2vpn-bg)# bridge-domain abc
    RP/0/0/CPU0:router(config-l2vpn-bg-bd)#
    
     

    Enters L2 VPN bridge domain configuration mode.

     
    Step 5interface interface-name


    Example:
    RP/0/0/CPU0:router(config-l2vpn-bg-bd)# interface GigabitEthernet0/1/0/0.100
    RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)#
    
     

    Names an AC under the bridge domain. In this case, the AC is a VLAN on an Ethernet interface.

     
    Step 6storm-control {broadcast | multicast | unknown-unicast} pps packet-threshold


    Example:
    RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)# storm-control broadcast pps 4500
    RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)#
    storm-control multicast pps 500
    RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)#
    
     

    Enables traffic storm control on this interface for the specified traffic type. Repeat this command for each traffic type.

    The packet-threshold is a packet per second rate and must be an integer between 1 and 160000. It specifies the number of packets that will be allowed to pass on the interface for the specified traffic type during a 1-second interval.

     
    Step 7 Use the commit or end command.  

    commit—Saves the configuration changes, and remains within the configuration session.

    end—Prompts user to take one of these actions:
    • Yes— Saves configuration changes and exits the configuration session.
    • No—Exits the configuration session without committing the configuration changes.
    • Cancel—Remains in the configuration mode, without committing the configuration changes.
     
    Step 8show l2vpn bridge-domain bd-name bridge-name detail


    Example:
    RP/0/0/CPU0:router# show l2vpn bridge-domain bd-name abc detail
    
     

    Displays storm control configuration.

     

    Enabling Traffic Storm Control on a PW under a Bridge

    Perform this task to enable traffic storm control on a pseudowire under a VPLS bridge.


    Note


    To disable traffic storm control, navigate to the submode you were in when you enabled the feature, and issue the no form of the command.


    SUMMARY STEPS

      1.    configure

      2.    l2vpn

      3.    bridge group bridge-group-name

      4.    bridge-domain bridge-domain-name

      5.    neighbor address pw-id id

      6.    storm-control {broadcast | multicast | unknown-unicast} pps packet-threshold

      7.    Use the commit or end command.

      8.    show l2vpn bridge-domain bd-name bridge-name detail


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 configure


      Example:
      RP/0/RSP0/CPU0:router# configure
       

      Enters global configuration mode.

       
      Step 2l2vpn


      Example:
      RP/0/0/CPU0:router(config)# l2vpn
      RP/0/0/CPU0:router(config-l2vpn)#
      
       

      Enters L2 VPN configuration mode.

       
      Step 3bridge group bridge-group-name


      Example:
      RP/0/0/CPU0:router(config-l2vpn)# bridge group csco
      RP/0/0/CPU0:router(config-l2vpn-bg)#
      
       

      Enters L2 VPN bridge group configuration mode.

       
      Step 4bridge-domain bridge-domain-name


      Example:
      RP/0/0/CPU0:router(config-l2vpn-bg)# bridge-domain abc
      RP/0/0/CPU0:router(config-l2vpn-bg-bd)#
      
       

      Enters L2 VPN bridge domain configuration mode.

       
      Step 5neighbor address pw-id id


      Example:
      RP/0/0/CPU0:router(config-l2vpn-bg-bd)# neighbor 1.1.1.1 pw-id 100
      RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)#
      
       

      Names an access pseudowire under the bridge domain.

      Note   

      You cannot apply storm control on a forwarding PW (a PW under a VFI).

       
      Step 6storm-control {broadcast | multicast | unknown-unicast} pps packet-threshold


      Example:
      RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)# storm-control broadcast pps 4500
      RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)#
      storm-control multicast pps 500
      RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)#
      
       

      Enables traffic storm control on this pseudowire for the specified traffic type. Repeat this command for each traffic type.

      The packet-threshold is a packet per second rate and must be an integer between 1 and 160000. It specifies the number of packets that will be allowed to pass on the interface for the specified traffic type during a 1-second interval.

       
      Step 7 Use the commit or end command.  

      commit—Saves the configuration changes, and remains within the configuration session.

      end—Prompts user to take one of these actions:
      • Yes— Saves configuration changes and exits the configuration session.
      • No—Exits the configuration session without committing the configuration changes.
      • Cancel—Remains in the configuration mode, without committing the configuration changes.
       
      Step 8show l2vpn bridge-domain bd-name bridge-name detail


      Example:
      RP/0/0/CPU0:router# show l2vpn bridge-domain bd-name csco detail 
      
       

      Displays storm control configuration settings for the named bridge domain. This command also displays the drop counter values for each configured storm control instance.

       

      Clearing Traffic Storm Control Drop Counters

      Perform this task to reset traffic storm control drop counters to zero.

      SUMMARY STEPS

        1.    clear l2vpn forwarding counters


      DETAILED STEPS
         Command or ActionPurpose
        Step 1clear l2vpn forwarding counters


        Example:
        RP/0/0/CPU0:router# clear l2vpn forwarding counters
        
         

        Clears l2vpn forwarding counters, including storm control drop counters.

         

        Configuration Examples for Traffic Storm Control

        This section includes the following configuration examples:

        Configuring Traffic Storm Control on an AC: Example

        The following example shows broadcast and multicast storm control configuration on an AC under a VPLS bridge.

        RP/0/RSP0/CPU0:router# show run 
        
        [lines deleted]
        
        bridge group 215
          bridge-domain 215
           mtu 9000
           interface GigabitEthernet0/1/0/3.215
            storm-control multicast pps 500
            storm-control broadcast pps 4500
           !
        [lines deleted]
        
        
        RP/0/RSP0/CPU0:router# show l2vpn bridge-domain bd-name 215 detail 
        Bridge group: 215, bridge-domain: 215, id: 3, state: up, ShgId: 0, MSTi: 0
          MAC learning: enabled
          MAC withdraw: disabled
          Flooding:
            Broadcast & Multicast: enabled
            Unknown unicast: enabled
          MAC aging time: 300 s, Type: inactivity
          MAC limit: 4000, Action: none, Notification: syslog
          MAC limit reached: no
          Security: disabled
          Split Horizon Group: none
          DHCPv4 snooping: disabled
          IGMP Snooping profile: none
          Bridge MTU: 9000
          Filter MAC addresses:
          ACs: 2 (2 up), VFIs: 1, PWs: 1 (1 up)
          List of ACs:
            AC: GigabitEthernet0/1/0/3.215, state is up
              Type VLAN; Num Ranges: 1
             vlan ranges: [100, 100]
              MTU 9008; XC ID 0x440005; interworking none; MSTi 0 (unprotected)
              MAC learning: enabled
              Flooding:
                Broadcast & Multicast: enabled
                Unknown unicast: enabled
              MAC aging time: 300 s, Type: inactivity
              MAC limit: 4000, Action: none, Notification: syslog
              MAC limit reached: no
              Security: disabled
              Split Horizon Group: none
              DHCPv4 snooping: disabled
              IGMP Snooping profile: none
        
              Storm Control:
               Broadcast: enabled(4500)
               Multicast: enabled(500)
               Unknown unicast: disabled
              Static MAC addresses:
              Statistics:
                packet totals: receive 36728, send 31
                byte totals: receive 2791284, send 2318
                Storm control drop counters: 
                  packet totals: broadcast 0, multicast 0, unknown unicast 0 
                  byte totals: broadcast 0, multicast 0, unknown unicast 0 
        [lines deleted]
        

        Configuring Traffic Storm Control on an Access PW: Example

        The following example shows broadcast and multicast storm control configuration on an access PW under a VPLS bridge.

        RP/0/RSP0/CPU0:router# show run 
        l2vpn
         bridge group bg_storm_pw
          bridge-domain bd_storm_pw
           interface Bundle-Ether101
           !
           neighbor 10.10.30.30 pw-id 1
            storm-control unknown-unicast pps 120
            storm-control multicast pps 110
            storm-control broadcast pps 100
           !
          !
         !
        !
         
        RP/0/RSP0/CPU0:router# show l2vpn bridge-domain group bg_storm_pw detail
        Bridge group: bg_storm_pw, bridge-domain: bd_storm_pw, id: 2, state: up, ShgId: 0, MSTi: 0
          MAC learning: enabled
          MAC withdraw: disabled
          Flooding:
            Broadcast & Multicast: enabled
            Unknown unicast: enabled
          MAC aging time: 300 s, Type: inactivity
          MAC limit: 4000, Action: none, Notification: syslog
          MAC limit reached: no
          Security: disabled
          Split Horizon Group: none
          DHCPv4 snooping: disabled
          IGMP Snooping profile: none
          Bridge MTU: 1500
          Filter MAC addresses:
          ACs: 1 (1 up), VFIs: 0, PWs: 1 (1 up)
          List of ACs:
            AC: Bundle-Ether101, state is up
              Type Ethernet
              MTU 1500; XC ID 0xfffc0003; interworking none
              MAC learning: enabled
              Flooding:
                Broadcast & Multicast: enabled
                Unknown unicast: enabled
              MAC aging time: 300 s, Type: inactivity
              MAC limit: 4000, Action: none, Notification: syslog
              MAC limit reached: no
              Security: disabled
              Split Horizon Group: none
              DHCPv4 snooping: disabled
              IGMP Snooping profile: none
              Storm Control: disabled
              Static MAC addresses:
              Statistics:
                packets: received 0, sent 5205
                bytes: received 0, sent 645420
              Storm control drop counters: 
                packets: broadcast 0, multicast 0, unknown unicast 0 
                bytes: broadcast 0, multicast 0, unknown unicast 0 
          List of Access PWs:
            PW: neighbor 10.10.30.30, PW ID 1, state is up ( established )
              PW class not set, XC ID 0xfffc0006
              Encapsulation MPLS, protocol LDP
              PW type Ethernet, control word disabled, interworking none
              PW backup disable delay 0 sec
              Sequencing not set
            PW Status TLV in use
                MPLS         Local                          Remote                        
                ------------ ------------------------------ ---------------------------
                Label        16001                          16001                         
                Group ID     0x2                            0x2                           
                Interface    Access PW                      Access PW                     
                MTU          1500                           1500                          
                Control word disabled                       disabled                      
                PW type      Ethernet                       Ethernet                      
                VCCV CV type 0x2                            0x2                           
                             (LSP ping verification)        (LSP ping verification)       
                VCCV CC type 0x6                            0x6                           
                             (router alert label)           (router alert label)          
                             (TTL expiry)                   (TTL expiry)                  
                ------------ ------------------------------ ---------------------------
              Incoming Status (PW Status TLV):
                Status code: 0x0 (Up) in Notification message
              Outgoing Status (PW Status TLV):
                Status code: 0x0 (Up) in Notification message
              Create time: 16/12/2008 00:06:08 (01:00:22 ago)
              Last time status changed: 16/12/2008 00:35:02 (00:31:28 ago)
                MAC withdraw message: send 0 receive 0
              Static MAC addresses:
              Statistics:
                packets: received 0, sent 0
                bytes: received 0, sent 0
              Storm control drop counters: 
                packets: broadcast 0, multicast 0, unknown unicast 0 
                bytes: broadcast 0, multicast 0, unknown unicast 0 
              MAC learning: enabled
              Flooding:
                Broadcast & Multicast: enabled
                Unknown unicast: enabled
              MAC aging time: 300 s, Type: inactivity
              MAC limit: 4000, Action: none, Notification: syslog
              MAC limit reached: no
              Security: disabled
              Split Horizon Group: none
              DHCPv4 snooping: disabled
              IGMP Snooping profile: none
              Storm Control:
               Broadcast: enabled(100)
               Multicast: enabled(110)
               Unknown unicast: enabled(120)
        

        Configuring Traffic Storm Control on the Bridge Domain: Example

        This section contains configuration examples for configuring traffic storm control on the bridge domain:

        Configuring Storm Control for Broadcast Traffic: Example

        This example shows how to configure storm control for broadcast traffic.

        (config)# l2vpn
        (config-l2vpn)# bridge group grp
        (config-l2vpn-bg)# bridge-domain bd
        (config-l2vpn-bg-bd)# storm-control broadcast kbps 770
        (config-l2vpn-bg-bd)# commit

        Configuring Storm Control for Multicast Traffic: Example

        This example shows how to configure storm control for multicast traffic.

        (config)# l2vpn
        (config-l2vpn)# bridge group grp
        (config-l2vpn-bg)# bridge-domain bd
        (config-l2vpn-bg-bd)# storm-control multicast pps 88
        (config-l2vpn-bg-bd)# commit

        Configuring Storm Control for Unknown-Unicast Traffic: Example

        This example shows how to configure storm control for unknown-unicast traffic.

        (config)# l2vpn
        (config-l2vpn)# bridge group grp
        (config-l2vpn-bg)# bridge-domain bd
        (config-l2vpn-bg-bd)# storm-control unknown-unicast kbps 1280
        (config-l2vpn-bg-bd)# commit

        Additional References

        For additional information related to implementing traffic storm control, refer to the following references.

        Related Documents

        Related Topic

        Document Title

        MPLS Layer 2 VPNs

        Implementing MPLS Layer 2 VPNs on Cisco ASR 9000 Series Router module in the Cisco ASR 9000 Series Aggregation Services Router MPLS Configuration Guide.

        MPLS VPLS bridges

        Implementing Virtual Private LAN Services on Cisco ASR 9000 Series Router module in the Cisco ASR 9000 Series Aggregation Services Router MPLS Configuration Guide

        Getting started material

        Cisco ASR 9000 Series Aggregation Services Router Getting Started Guide

        Standards

        Standards

        1

        Title

        No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

        1 Not all supported standards are listed.

        MIBs

        MIBs

        MIBs Link

        To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http:/​/​cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml

        RFCs

        RFCs

        Title

        No new or modified RFCs are supported, and support for existing RFCs has not been modified.

        Technical Assistance

        Description

        Link

        The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

        http:/​/​www.cisco.com/​techsupport