Cisco ASR 9000 Series Aggregation Services Router System Security Command Reference, Release 5.1.x
Traffic Storm Control Commands
Downloads: This chapterpdf (PDF - 1.31MB) The complete bookPDF (PDF - 3.79MB) | Feedback

Traffic Storm Control Commands

Traffic Storm Control Commands

This module describes the Cisco IOS XR software commands used to configure traffic storm control under Virtual Private LAN Service (VPLS) bridge domains.

For detailed information about traffic storm control concepts, configuration tasks, and examples, see the Implementing Traffic Storm Control module in the Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide.

storm-control

To enable traffic storm control on an access circuit (AC) or access pseudowire (PW) under a VPLS bridge, use the storm-control command in l2vpn bridge group bridge-domain access circuit configuration mode or l2vpn bridge group bridge-domain pseudowire configuration mode. To disable traffic storm control, use the no form of this command.

storm-control { broadcast | multicast | unknown-unicast } { pps pps value | kbps kbps value}

no storm-control { broadcast | multicast | unknown-unicast } { pps pps value | kbps kbps value}

Syntax Description

broadcast

Configures traffic storm control for broadcast traffic.

multicast

Configures traffic storm control for multicast traffic.

unknown-unicast

Configures traffic storm control for unknown unicast traffic.

  • Traffic storm control does not apply to bridge protocol data unit (BPDU) packets. All BPDU packets are processed as if traffic storm control is not configured.
  • Traffic storm control does not apply to internal communication and control packets, route updates, SNMP management traffic, Telnet sessions, or any other packets addressed to the router.

pps pps value

Configures the packets-per-second (pps) storm control threshold for the specified traffic type. Valid values range from 1 to 160000.

kbps kbps value

Configures the storm control in kilo bits per second (kbps). The range is from 64 to 1280000.

Command Default

Traffic storm control is disabled by default.

Command Modes

l2vpn bridge group bridge-domain access circuit configuration

l2vpn bridge group bridge-domain pseudowire configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Release 5.1

Support for storm control configuration for bridge domain was introduced. Also, a new unit kbps for storm control was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Traffic storm control provides Layer 2 port security under a VPLS bridge by preventing excess traffic from disrupting the bridge. Traffic storm control can be enabled on ACs and PWs under a VPLS bridge. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any 1-second interval.

For each AC and PW port, you can enable traffic storm control for three types of traffic: broadcast, multicast, and unknown unicast.

The thresholds are configured at a packet-per-second (pps) and kilo bits per second (kbps) rate. When the number of packets of the specified traffic type reaches the configured threshold level, the port drops additional packets of that traffic type arriving at that port for the remainder of the 1-second interval. At the beginning of a new 1-second interval, traffic of the specified type is allowed to pass on the port.

The 1-second interval is set in the hardware and is not configurable. Use the pps keyword to configure the maximum number of packets allowed during each 1-second interval.

Drop counters maintain a cumulative count of the number of packets dropped because the threshold was reached.

Use the show l2vpn bridge-domain command to view all configured traffic storm control thresholds under a bridge and to view the current value of the storm control drop counters.


Note


From Release 5.1, it is possible to configure storm control on both bridge domain level and bridge port level. When this happens, the storm control configured on the bridge port level will always take precedence.


There is no restriction on what unit you can configure the storm control. Configuring mixed units under same bridge-domain or bridge port is allowed. However, the actual traffic policing will be converted to one of these two methods:

  • If ingress line card is an ASR 9000 Ethernet Line Card , pps unit will be used.
  • If ingress line card is an ASR 9000 Enhanced Ethernet Line Card or a newer line card, kbps unit will be used.

Note


The ASR 9000 Ethernet Line Card does not support BW-based policing in kbps . However, kbps policing configuration is allowed on the ASR 9000 Ethernet Line Card. Then a conversion is performed from kbps to pps with an assumption of 1000 bytes per packet.


Task ID

Task ID

Operations

l2vpn

read, write

Examples

The following example enables two traffic storm control thresholds on a pseudowire:

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)# bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# neighbor 1.1.1.1 pw-id 100
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# storm-control broadcast pps 4500
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# storm-control multicast pps 500
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# commit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# end

Examples

This example shows how to enable traffic storm control on a bridge domain:

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)# bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# storm-control unknown-unicast kbps 1280
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# commit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# end

Examples

This example shows how to enable traffic storm control on a bridge EFP port:

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)# bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# interface GigabitEthernet 0/1/0/18
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)# storm-control broadcast pps 70000
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# commit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# end

Related Commands

Command

Description

show l2vpn forwarding hardware ingress detail location

Displays the hardware location information on the ingress detail location.

debug l2vpn forwarding platform vpls all location

Displays debugging information about L2VPN forwarding Virtual Private LAN Service (VPLS) platform of a specified location.

show l2vpn forwarding hardware ingress detail location

To display the hardware location information on the ingress detail location, use the show l2vpn forwarding hardware ingress detail location command in EXEC mode.

show l2vpn forwarding hardware ingress { debug | detail | location | private} location

Syntax Description

debug

Specifies debug information.

detail

Specifies detailed information.

location

Specifies a location.

private

Specifies a private location.

Command Default

None

Command Modes

Exec

Command History

Release Modification
Release 5.1

The command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation
l2vpn

read

Examples

This is the sample output from the show l2vpn forwarding hardware ingress detail location command with following configuration on the bridge domain::

l2vpn
bridge group vpls
bridge-domain bd1999
storm-control unknown-unicast kbps 5000
storm-control broadcast pps 100
interface TenGigE0/0/0/2.1999
storm-control unknown-unicast pps 50
!
neighbor 98.98.98.98 pw-id 1999
!
!
!
!


RP/0/RP0/CPU0:VKG100#sh l2vpn for br vpls:bd1999 hard ing det loc 0/0/CPU0

Bridge-domain name: vpls:bd1999, id: 1998, state: up
MAC learning: enabled
MAC port down flush: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC Secure: disabled, Logging: disabled
DHCPv4 snooping: profile not known on this node
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
IGMP snooping: disabled, flooding: enabled
MLD snooping: disabled, flooding: disabled
Storm control
broadcast: enabled (100 pps)
multicast: disabled
unknown unicast: enabled (5000 kbps)
P2MP PW: disabled
Bridge MTU: 1500 bytes
Number of bridge ports: 2
Number of MAC addresses: 2
Multi-spanning tree instance: 0

Platform Bridge context:
Ingress Bridge Domain: 1998, State: Created
static MACs: 0, port level static MACs: 0, MAC limit: 4000, current MAC limit: 4000,
MTU: 1500, MAC limit action: 0
Rack 0 FGIDs:shg0: 0x00000800, shg1: 0x00000804, shg2: 0x00000804
Rack 1 FGIDs:shg0: 0x00000000, shg1: 0x00000000, shg2: 0x00000000
Flags: Virtual Table ID Disable
Rack: 0, Physical slot: 2, shg 0 members: 1, shg 1 members: 0, shg 2 members: 0
Rack: 0, Physical slot: 11, shg 0 members: 1, shg 1 members: 0, shg 2 members: 0


Platform Bridge HAL context:
NP mask: 0x0001, mgid index: 2511, learn key: 2
NP: 0, shg 0 members: 1, shg 1 members: 0, shg 2 members: 0
MAC limit counter index: 0x00f0a154

Platform Bridge Domain Hardware Information:

Storm Control Configuration: Broadcast: 800 kbps, Multicast: Disabled, Unknown Unicast: 5000 kbps,
Traffic Type | Status |kbps |Profile Index|Token Bucket ID|Profile ID|NP
--------------------------------------------------------------------------------
Broadcast |Config |800 |4185 |0xe71059 |52 |0
Multicast |Config |800 |4186 |0xe7105a |52 |0
Unknown Unicast|Config |5000 |4187 |0xe7105b |53 |0

Bridge Domain: 1998 NP 0
Flags: Virtual Table, Learn Enable, Megatron FGID
Num Members: 1, Learn Key: 0x02, Half Age: 5
fgid shg0: 0x0800, fgid shg1: 0x0804, fgid shg2: 0x0804, mgid index: 2511

Bridge Member 0, copy 0
Flags: Active, XID: 0x0316f7cb
Bridge Member 0, copy 1
Flags: Active, XID: 0x0316f7cb
Bridge Domain: 1998 NP 1
Flags: Virtual Table, Learn Enable, Megatron FGID
Num Members: 0, Learn Key: 0x02, Half Age: 5
fgid shg0: 0x0800, fgid shg1: 0x0804, fgid shg2: 0x0804, mgid index: 2511

Bridge Domain: 1998 NP 2
Flags: Virtual Table, Learn Enable, Megatron FGID
Num Members: 0, Learn Key: 0x02, Half Age: 5
fgid shg0: 0x0800, fgid shg1: 0x0804, fgid shg2: 0x0804, mgid index: 2511

Bridge Domain: 1998 NP 3
Flags: Virtual Table, Learn Enable, Megatron FGID
Num Members: 0, Learn Key: 0x02, Half Age: 5
fgid shg0: 0x0800, fgid shg1: 0x0804, fgid shg2: 0x0804, mgid index: 2511

Bridge Domain: 1998 NP 4
Flags: Virtual Table, Learn Enable, Megatron FGID
Num Members: 0, Learn Key: 0x02, Half Age: 5
fgid shg0: 0x0800, fgid shg1: 0x0804, fgid shg2: 0x0804, mgid index: 2511

Bridge Domain: 1998 NP 5
Flags: Virtual Table, Learn Enable, Megatron FGID
Num Members: 0, Learn Key: 0x02, Half Age: 5
fgid shg0: 0x0800, fgid shg1: 0x0804, fgid shg2: 0x0804, mgid index: 2511



TenGigE0/0/0/2.1999, state: oper up
Number of MAC: 0
Statistics:
packets: received 120498, sent 122597
bytes: received 7711872, sent 7846208
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 3731
bytes: broadcast 0, multicast 0, unknown unicast 238784
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Platform Bridge Port context:
Ingress State: Bound
Flags: None

Platform AC context:
Ingress AC: VPLS, State: Bound
Flags: Storm Control UCast, Port Level MAC Limit
XID: 0x0316f7cb, SHG: None
Ingress uIDB: 0x07f4, Egress uIDB: 0x07f4, NP: 0, Port Learn Key: 0
Slot flood mask rack 0: 0x400000 rack 1: 0x0 NP flood mask: 0x0001
NP0
Ingress uIDB:
Flags: L2, Status, Racetrack Eligible, VPLS
Stats Ptr: 0x000000, uIDB index: 0x07f4, Wire Exp Tag: 2
BVI Bridge Domain: 0, BVI Source XID: 0x00000000
VLAN1: 0, VLAN1 etype: 0x0000, VLAN2: 0, VLAN2 etype: 0x0000
L2 ACL Format: 0, L2 ACL ID: 0, IPV4 ACL ID: 0, IPV6 ACL ID: 0
QOS ID: 0, QOS Format ID: 0
Local Switch dest XID: 0x0316f7cb
UIDB IF Handle: 0x044073c2, Source Port: 0, Num VLANs: 0
Xconnect ID: 0x0316f7cb, NP: 0
Type: AC
Flags: Learn enable, Unknown unicast storm control, VPLS
uIDB Index: 0x07f4
Bridge Domain ID: 1998, Stats Pointer: 0xf48954
Storm Control enabled for: Unknown Unicast, Pointer: 0x00e9fe59
Split Horizon Group: None
Bridge Port : Bridge 1998 Port 0
Flags: Active Member
XID: 0x0316f7cb
Bridge Port Virt: Bridge 1998 Port 0
Flags: Active Member
XID: 0x0316f7cb
Storm Control Configuration: Broadcast: Disabled, Multicast: Disabled, Unknown Unicast: 50 pps,
Traffic Type | Status | pps |Profile Index|Token Bucket ID|Profile ID|NP
--------------------------------------------------------------------------------
Broadcast |Config |48 |196185 |0xe9fe59 |54 |0
Multicast |Config |48 |196186 |0xe9fe5a |54 |0
Unknown Unicast|Config |48 |196187 |0xe9fe5b |54 |0
RP/0/RP0/CPU0:VKG100#

Related Commands

Command

Description

debug l2vpn forwarding platform vpls all location

Displays information and statistics about a bridge-domain.

storm control

Enables traffic storm control on a bridge router, bridge port EFP, or access pseudowire.

debug l2vpn forwarding platform vpls all location

To display debugging information about L2VPN forwarding Virtual Private LAN Service (VPLS) platform of a specified location, use the debug l2vpn forwarding platform vpls all location command in EXEC mode. To disable debugging, use the no form of this command.

debug l2vpn forwarding platform vpls all location location

no debug l2vpn forwarding platform vpls all location location

Syntax Description

location

Location to display debugging information.

Command Default

None

Command Modes

EXEC

Command History

Release Modification
Release 5.1

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

root-system

read, write

Related Commands

Command

Description

show l2vpn forwarding hardware ingress detail location

Displays the hardware location information on the ingress detail location.

storm control

Enables traffic storm control on a bridge router, bridge port EFP, or access pseudowire.